Making the business case for compliance
September 20, 2017
By: Rebekah Sharpe
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently fined Children’s Medical Center of Dallas a whopping $3.2 million for what OCR described as the hospital’s noncompliance "over many years with multiple standards of the HIPAA Security Rule.”
Multimillion-dollar noncompliance fines like this have become almost routine in American health care. Our friends at Children’s are not alone.
The need for a comprehensive compliance program in hospitals has never been more apparent. Yet compliance professionals often find themselves fighting an uphill battle when asking C-suite executives and board members for the resources necessary to do the job properly. Many of us in the compliance space struggle to understand, even with the financial pressures health care is facing, why anyone would diminish or constrain the capabilities of an effective compliance program.
We need to accept the fact that a solid compliance program is simply a cost of doing business in modern American health care. Change is afoot in the industry, but this is one area that is not going to change.
Addressing organizational resistance to the allocation of appropriate resources for compliance programs requires today’s compliance leaders to understand what is causing leadership to consider downsizing these programs so they can address the objections in a logical, fact-based manner.
Understand what is driving these cuts
Many executives in the chief compliance officer or general counsel role (being responsible for compliance) must deal with the routine mandate from senior management to cut or trim their compliance resources. The reasons typically include:
• The organization does not understand the risk of noncompliance.
• The organization does not believe it will ever be investigated for noncompliant actions.
• The organization believes it can defend against claims of noncompliance.
• Management decides that it must cut compliance resources to protect the organization’s financial health.
Let’s look at each of these objections and suggest ways a compliance officer might deal with them.
• The organization does not understand the risk of noncompliance.
If you have C-suite executives or board members who don’t understand or appreciate the risk, this means you have not been effective in your compliance education. Begin by instituting a refined compliance education program targeted to those individuals. Focus on the current high-risk compliance areas in health care and give examples. If you cannot effectively convey this message internally, consider engaging an external expert to meet with and educate your leadership and board on what is taking place in the health care industry related to compliance risk. We strongly advise against bringing in attorneys at this juncture, as they typically do not have a specialized focus on health care compliance. Resist involving friends of the board, who may not be compliance experts, to perform the task. After completing compliance education, have each attendee certify that they understand the elements of your compliance program and recognize the importance of compliance within your organization.
• The organization does not believe it will ever be investigated for noncompliant actions.
Try to understand the origin of this argument and confront it. Numerous case studies reveal stories of hospitals and health care organizations that thought they would never be investigated. Present these case studies in a factual manner so that the audience can understand the risk. Remind them of the possibility of whistleblowers and how an effective compliance program mitigates the risk. Historical observation has shown that, at times, those who push the “it can’t happen here” rhetoric may actually stand to gain from an investigation. This could include work being generated for outside consultants or outside counsel. Determine if there are any potential conflicts of interests associated with your decision-makers that could taint their support of your compliance program. This can be accomplished via a thorough conflict-of-interest disclosure process.
• The organization believes it can defend against claims of noncompliance.
Defending yourself is expensive. Lawyers and compliance consultants are just the beginning of the costs. A negative public image could be even more expensive. Common sense says it's cheaper to mitigate the risk of noncompliance, rather than defend yourself after the fact.
• Management decides that it must cut compliance resources to protect the organization’s financial health.
This is a shortsighted strategy. Cutting aspects of the compliance program (staff, technology, consultants) tells a future investigator or whistleblower that the organization knew the risk, as demonstrated by previous expenditures for the compliance program, but were not committed to the same level of compliance in the future.
Health care organizations have one of the most complicated business models ever created. Hospitals are difficult to organize and manage in the best of situations, but even more so under the stringent financial pressures they currently face. However, a critical component of the long-term viability of these organizations is a proactive compliance program that is appropriately supported with the proper resources. Demonstrate and “sell” to the C-suite and executive team that compliance is an investment and not an expense. When you invest in a strong compliance program, you are helping protect the long-term health of our organizations and communities.
About the author: Rebekah Sharpe joined MediTract in 2000 and is vice president of operations.
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently fined Children’s Medical Center of Dallas a whopping $3.2 million for what OCR described as the hospital’s noncompliance "over many years with multiple standards of the HIPAA Security Rule.”
Multimillion-dollar noncompliance fines like this have become almost routine in American health care. Our friends at Children’s are not alone.
The need for a comprehensive compliance program in hospitals has never been more apparent. Yet compliance professionals often find themselves fighting an uphill battle when asking C-suite executives and board members for the resources necessary to do the job properly. Many of us in the compliance space struggle to understand, even with the financial pressures health care is facing, why anyone would diminish or constrain the capabilities of an effective compliance program.
We need to accept the fact that a solid compliance program is simply a cost of doing business in modern American health care. Change is afoot in the industry, but this is one area that is not going to change.
Addressing organizational resistance to the allocation of appropriate resources for compliance programs requires today’s compliance leaders to understand what is causing leadership to consider downsizing these programs so they can address the objections in a logical, fact-based manner.
Understand what is driving these cuts
Many executives in the chief compliance officer or general counsel role (being responsible for compliance) must deal with the routine mandate from senior management to cut or trim their compliance resources. The reasons typically include:
• The organization does not understand the risk of noncompliance.
• The organization does not believe it will ever be investigated for noncompliant actions.
• The organization believes it can defend against claims of noncompliance.
• Management decides that it must cut compliance resources to protect the organization’s financial health.
Let’s look at each of these objections and suggest ways a compliance officer might deal with them.
• The organization does not understand the risk of noncompliance.
If you have C-suite executives or board members who don’t understand or appreciate the risk, this means you have not been effective in your compliance education. Begin by instituting a refined compliance education program targeted to those individuals. Focus on the current high-risk compliance areas in health care and give examples. If you cannot effectively convey this message internally, consider engaging an external expert to meet with and educate your leadership and board on what is taking place in the health care industry related to compliance risk. We strongly advise against bringing in attorneys at this juncture, as they typically do not have a specialized focus on health care compliance. Resist involving friends of the board, who may not be compliance experts, to perform the task. After completing compliance education, have each attendee certify that they understand the elements of your compliance program and recognize the importance of compliance within your organization.
• The organization does not believe it will ever be investigated for noncompliant actions.
Try to understand the origin of this argument and confront it. Numerous case studies reveal stories of hospitals and health care organizations that thought they would never be investigated. Present these case studies in a factual manner so that the audience can understand the risk. Remind them of the possibility of whistleblowers and how an effective compliance program mitigates the risk. Historical observation has shown that, at times, those who push the “it can’t happen here” rhetoric may actually stand to gain from an investigation. This could include work being generated for outside consultants or outside counsel. Determine if there are any potential conflicts of interests associated with your decision-makers that could taint their support of your compliance program. This can be accomplished via a thorough conflict-of-interest disclosure process.
• The organization believes it can defend against claims of noncompliance.
Defending yourself is expensive. Lawyers and compliance consultants are just the beginning of the costs. A negative public image could be even more expensive. Common sense says it's cheaper to mitigate the risk of noncompliance, rather than defend yourself after the fact.
• Management decides that it must cut compliance resources to protect the organization’s financial health.
This is a shortsighted strategy. Cutting aspects of the compliance program (staff, technology, consultants) tells a future investigator or whistleblower that the organization knew the risk, as demonstrated by previous expenditures for the compliance program, but were not committed to the same level of compliance in the future.
Rebekah Sharpe
About the author: Rebekah Sharpe joined MediTract in 2000 and is vice president of operations.