Recently, the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR) fined Children’s Medical Center of Dallas $3.2 million for what OCR described as the hospital’s noncompliance “over many years with multiple standards of the HIPAA Security Rule.” Unfortunately, multimillion-dollar noncompliance fines like this one have become almost routine in health care.
The need for a comprehensive compliance program in hospitals has never been greater or more apparent. And with the financial pressures faced by healthcare leaders, now is the time to invest in such a program to avoid incurring the high cost of noncompliance.
What Drives Cuts
There are various reasons that healthcare finance leaders are inclined to cut or trim their compliance resources over other programs. The following are the most common reasons:
- The organization does not understand the risk of noncompliance.
- The organization does not believe it will ever be investigated for noncompliant actions.
- The organization believes it can defend claims of noncompliance.
- Management decides that cutting compliance resources is necessary to protect the organization’s financial health.
Each of these reasons is based on a fallacy, however. And if finance leaders understand the underlying fallacy in each case, it will quickly become apparent to them why investing in compliance should be on every C-suite executive’s priority list.
The organization does not understand the risk of noncompliance. The fallacy here is that the risk of noncompliance is not so great as to require the organization’s full attention. Noncompliance can result in significant and costly consequences. Ultimately, an organization stands to lose certifications, permissions to operate, and federal funds.
The organization does not believe it will ever be investigated for noncompliant actions. Numerous case studies reveal stories of hospitals and healthcare organizations that thought they would never be investigated. The list of recent targets of non-compliance investigations includes several well-respected organizations such as Life Care Centers of America, Dignity Health, and Johnson & Johnson.
The organization believes it can defend claims of noncompliance. In fact, defending noncompliance claims is difficult and expensive. Lawyers and compliance consultants are just the beginning of the costs. A negative public image could be even more expensive.
Simply put, the cost of noncompliance is greater than that of compliance. Cutting aspects of the compliance program (e.g., staff, technology, consultants) tells a future investigator or whistleblower that the organization knew the risk but was not committed to maintaining the same level of compliance it had in the past. It is far more practical—and cheaper—for an organization to mitigate the risk of noncompliance, rather than defend itself after the fact. Healthcare leaders who invest in a strong compliance program are helping protect the long-term health of their organizations and communities.
Cutting compliance resources is necessary to protect the organization’s financial health. This fallacy ties in with the previous one—that the cost of compliance is greater than that of noncompliance. Few things are worse for the financial health of a healthcare organization than to undergo the full adverse consequences of having been found to be noncompliant with key regulatory requirements.
Indeed, for healthcare finance leaders who are contemplating scaling back their organizations compliance programs, these points should be taken as a word to the wise: Compliance is an area that requires ongoing vigilance, without which organizations can become vulnerable to unsuspected risks.
Rebekah Sharpe is vice president of operations, MediTract, Inc., Chattanooga, Tenn.