Providing a stronger catalyst for regulatory compliance
Instead of trying to resolve issues through guidance, public fines and negative press coverage could be more effective in changing provider behavior.
Concerns about the level of compliance with a growing host of healthcare regulations are mounting.
Healthcare is subject to myriad regulations that often create confusing, if not contradictory, requirements. However, many regulations are also designed to drive certain operational requirements that theoretically (or sometimes practically) create real benefits or positive impacts for individuals. With that in mind, what can be done to drive better compliance?
"Many organizations get frustrated by vague statements from regulators that leave too much to interpretation."
Before considering how to improve compliance, it may be helpful to identify some of the regulations for which compliance is lagging. The regulations are a mix of new and old, so the excuse cannot just be that organizations are still feeling their way through how to comply.
HIPAA created a veritable grab bag of compliance issues. Infrequent compliance settlements announced in the past few years have primarily focused on individuals’ right to access their medical records.
Too many organizations either ignore timing requirements or throw up too many unnecessary barriers to access. And the barriers to access are not limited to individual requests for records. Organizations may also create uncalled-for hurdles for sharing information among the covered entities that are all supporting the same patient.
"The lack of consistency leaves the impression that HIPAA enforcement is unlikely to occur in any given case, which reduces the incentive to comply."
On the security side of things, basic measures such written policies and procedures may not be implemented, and the essential first step of an annual risk analysis may not be occurring. If a risk analysis is not conducted, then an organization cannot know where its problems lie, which, in turn, means the organization does not know what steps to take to mitigate against risks or implement requirements.
It's puzzling why HIPAA compliance is so spotty. The HIPAA privacy, security and breach notification rules have all been around for a long while. The regulations are also relatively easy to understand, at least when compared to other regulations in healthcare.
Because the final rules to carry out the information blocking regulation are not yet in place, compliance is not yet a priority for many organizations.
The general thrust of this reg is to remove barriers to the free flow of information with the aim of breaking down barriers and fostering better collaboration. The regulation also has a strong individual access component.
On the technology side, some vendors are still making others run around in circles to obtain patient information.
One example is an electronic health record vendor that requires all sorts of logins, but the offers providing dead or broken links, circular account creations and more steps that appear designed to frustrate the ability to connect. Those unnecessary complications make it harder for vendors to work together and can, in effect, prevent new entrants from being able to help others.
For patients, it’s not yet fully clear how to exercise the ability to make sure that records get to all the desired locations. Some organizations have request forms, but details may be in short supply as to how information will be made available to an individual’s preferred location.
Price transparency requirements for hospitals represent yet another area where compliance is apparently coming up short.
Research and analyses of hospital efforts on price transparency have found outright non-compliance by ignoring requirements, keeping prices buried to make discovery extremely difficult, or opting for spotty publication of prices. Very few hospitals have been found to be in full compliance, which requires prices to be made available in both an easily accessible form and in a machine-readable format (that amounts to the prices being in a spreadsheet).
When prices are available as required by the regulation, patients can be well-informed before going into a procedure. That’s essential as patients bear ever-increasing amounts of financial responsibility for services. Advance knowledge of prices will also likely reduce so-called “surprise” bills.
What about enforcement?
If organizations are not complying with regulatory requirements, then shouldn’t the government take steps to ramp up enforcement?
That may be easier said than done, because defining and enforcing monetary penalties or other repercussions often is a long, drawn-out process.
HIPAA settlements attract a lot of headlines when they’re issued, but that only happens about a dozen times per year. The limited number of settlements is troubling considering the thousands of complaints about HIPAA violations that are submitted each year.
Even when settlements do occur, they raise a lot of questions about the exact conduct that gave rise to the settlement (reading between the lines, it often involves ignoring government advice on how to do better) and the reasons behind the dollar amount of the settlement (in my opinion, driven by the depth of an organization’s pockets).
The lack of consistency leaves the impression that HIPAA enforcement is unlikely to occur in any given case, which reduces the incentive to comply.
On the price transparency front, the regulation is still new enough that it’s not clear how often the government will seek to impose fines. It appears that the first couple of hospitals have been fined for not meeting obligations, which may be a step in the right direction given the growing body of evidence that compliance is not being taken seriously.
There is also a frequently cited concern that the level of the penalties authorized in the statute and regulations, a maximum of $2 million per hospital per year, is not high enough to create a strong incentive to comply.
And for the information blocking regulation, a rule to establish penalties for non-compliance has yet to be finalized. That means organizations currently have nothing to fear from ignoring obligations. Will that change any time soon? That’s not yet clear.
The potential for improvement
Greater attention to compliance as a result of news media coverage, individual requests, market movement and other related actions could spur some organizations to voluntarily do better.
If enough patients shift to other providers when they’re dissatisfied with their current provider’s compliance efforts, that could force a change in compliance behaviors.
Unfortunately, however, the failure to fully respect longstanding rights under HIPAA has not necessarily impacted an organization’s ability to remain competitive.
Stepped-up enforcement by the government could drive better compliance. Instead of trying to resolve issues through behind-the-scenes guidance, public fines and penalties and the attendant negative press coverage could more expeditiously change behavior.
The prospect of real pain from enforcement, with hefty fines, could be the necessary catalyst to get organizations to take compliance seriously.
More guidance from government agencies about how to comply with various regulations would also be beneficial.
Many organizations get frustrated by vague statements from regulators that leave too much to interpretation. A better understanding of expectations could make compliance easier, which, in turn, could result in more organizations actually doing what needs to be done.
Everyone in healthcare should keep in mind that when patients are frustrated or cannot access the information that they need, care delivery suffers.
Matthew Fisher is a corporate and regulatory healthcare attorney. Matt is currently General Counsel for Carium, a virtual care platform company.