By Matt Fisher, General Counsel, Carium
Host of Healthcare de Jure – #HCdeJure
Concerns about the scope of compliance with a growing host of regulations in healthcare are mounting. It is fully acknowledged that healthcare is subject to a myriad of regulations that often create confusing, if not contradictory requirements for organizations. However, many of those same regulations are also designed to drive certain operational requirements that theoretically (or sometimes practically) create real benefits or positive impacts for individuals. With that in mind, what can be done to drive better compliance?
Examples of Non-Compliance
Before considering how to improve compliance, it may be helpful to identify some of the regulations where compliance is reportedly lagging. The regulations are a mix of new and old, so the excuse cannot just be that organizations are feeling their way through how to comply.
A veritable grab bag of compliance issues with HIPAA exists. When infrequent settlements are announced, the primary area for those settlements in the past few years has been the individual right of access. Organizations either ignore timing requirements or throw up too many unnecessary barriers to access. The barriers to access are not limited to individual requests either. Organizations may also create uncalled-for hurdles for sharing information between covered entities who are all supporting the same patient.
On the security side of things, basic measures such as the full scope of written policies or procedures may not be implemented or the essential first of an annual risk analysis may not be occurring. Those two examples are interconnected. If a risk analysis is not conducted, then an organization cannot know where its problems lie, which in turn means the organization does not know what steps to take to mitigate against risks or implement requirements.
It remains very puzzling why HIPAA compliance is so spotty. The Privacy, Security, and Breach Notification Rules have all been around for a fairly substantial period of time at this point. Greater attention from a broad perspective is beginning to be placed on rights and obligations under HIPAA, but the requirements are a known quantity within the industry. The regulations are also comparatively easy to understand, at least when compared to other regulations in healthcare.
The newer and still rolling out information blocking regulations offer another instance where compliance is not yet fully in place. The general thrust of the info blocking regulations is to remove barriers to the free flow of information with the aim of breaking down barriers and fostering better collaboration. There is also a strong individual access component to the info blocking regulations.
Since applicability is still in progress, compliance remains spotty. On the technology side, some vendors are still making others run around in circles. One example is an electronic health record vendor requiring all sorts of logins, but providing dead or broken links, circular account creations, and more steps that appear designed to frustrate the ability to connect. Those unnecessary complications make it harder for different vendors trying to support the industry to work together or amount to the prevention of new entrants from being able to help others.
On the individual front, it is not fully clear how to exercise the ability to get information where the individual wants it to go. Some organizations have request forms, but details may be in short supply as to how information will be made available to an individual’s preferred location. That doesn’t touch upon the justified concerns about what will happen t information when moved to an identified location if that identified location is not also subject to healthcare regulations.
Price transparency requirements for hospitals represent yet another area where compliance is reportedly in short shrift. Research and analyses of hospital efforts on price transparency have found outright non-compliance by ignoring requirements, prices being kept hidden or buried to make discovery extremely difficult, or spotty publication of prices. Very few hospitals have been found to be in full compliance, meaning prices are made available in both an easily accessible form and in a machine-readable format (that amounts to the prices being in a spreadsheet).
When prices are available as required by the regulation, patients can go into a procedure on an informed basis. That is essential as patients bear ever increasing amounts of financial responsibility for services. Advance knowledge of prices will also likely feed into hopefully reducing surprise bills, which is another new regulation imposing requirements on healthcare organizations.
What About Enforcement?
If organizations are not complying with regulatory requirements, then shouldn’t the government take steps to enforce the requirements? That may be easier said than done as the regulations will often have a number of steps that must be taken by the government before enforcement in the form of monetary penalties or other repercussions can occur. That means it can be a long, drawn-out process.
Using examples again, HIPAA settlements attract a lot of headlines when issued, but that only happens roughly a dozen or so times per year. The limited number of settlements is in the face of thousands of complaints submitted per year. Even when a settlement does occur, a lot of questions also result as to the exact conduct that gave rise to the settlement (reading between the lines, it often involves ignoring government advice on how to be better) and the dollar amount of the settlement (in my opinion, driven by the depth of an organization’s pockets). The lack of consistency makes it difficult identify HIPAA enforcement as likely to occur and a reason for complying.
On the price transparency front, the regulation is still new enough that it is not clear how often the government will seek to impose fines. It appears that the first couple of hospitals have been fined for not meeting obligations, which may be a step in the right direction given the growing body of evidence that compliance is not being taken seriously. Despite the first fines being issued, there is also a frequently cited concern that the level of the penalties authorized in the statute and implementing regulations is not high enough to be of concern to hospital systems. The amount is a maximum of $2 million per hospital per year, which is typically a fraction of a hospital’s annual revenue. Does the low number provide an incentive to comply?
The last regulatory example of info blocking doesn’t even have teeth yet. A rule to establish penalties for non-compliance has yet to be finalized. That means organizations currently have nothing to fear from ignoring obligations. Will that change any time soon? It’s arguably anyone’s guess.
Can It Get Better?
Asking whether things can get better is a very fair question and one that is very murky. Optimistically, greater general attention through media coverage, individual requests, market movement, and other related actions will spur organizations to voluntarily do better. The impact of people moving their feet to different options or emerging alternatives could force changes if an organization wants to maintain its place in the industry. Those hopes are likely somewhat overly optimistic. Looking at HIPAA requirements, the failure to fully respect longstanding rights has not necessarily impacted an organization’s ability to maintain its footing. That may change as care is encouraged to be provided in different settings and disruptive entities continue to emerge that challenge the old way of doing things.
Stepped-up enforcement by the government could represent another means of driving better overall enforcement. Instead of trying to resolve issues through behind the scenes guidance, public fines and penalties and the attendant negative press coverage could change behavior more expeditiously. Enforcement requires the authority to impose fines to exist and for the authorized fines to be of a sufficient amount to actually be impactful to an organization. The prospect of real pain from enforcement could be the necessary stick to get organizations to focus on the carrot instead.
Connected to enforcement, more guidance from implementing agencies within the government on how to comply with various regulations could also be beneficial. Many organizations get frustrated with vague regulatory statements that leave arguably too much up to interpretation. A better understanding of expectations could make compliance easier, which in turn could result in more organizations actually doing what needs to be done. The government may have a justified worry of not tying its hands through a specific interpretation, but a middle ground must exist.
Keeping Eyes on Patients
Regardless of the issues, everyone in healthcare should try to remember that all of these actions and requirements impact patients. When patients are frustrated or cannot access the information that they need, everyone will come out worse. Saying that patients are at the heart of healthcare is a frequently repeated statement, can that actually be made true? Let’s hope so.
This article was originally published on The Pulse blog and is republished here with permission.