Definition of Non-compliance
Now that you know about compliance, what is non-compliance? In general, non-compliance in healthcare is when individuals do not follow the rules, regulations, and laws that relate to healthcare practices.
While this could include patients not complying with medical orders, the focus here will be on regulatory non-compliance. While non-compliance can cover both internal and external rules and regulations, most healthcare non-compliance issues deal with patient safety, the privacy of patient information, and billing practices.
Ordinary vs gross negligence
When it comes to compliance in the healthcare industry, it helps to understand an important distinction between two key points: ordinary non-compliance versus gross negligence.
The key difference between the two? Whether or not the healthcare organization willfully or voluntarily knew they were putting patients in danger.
That is why it is so important in having strong policies and procedures in place. Doing so demonstrates that the organization put safeguards in place, even if those safeguards were not followed properly.
Putting systems, protocols, and safeguards in place from the start will reduce your liability.
While they will never completely eliminate risk, doing so demonstrates due diligence and certainly reduces the penalties and consequences down the road because you will be viewed as “doing the right things.”
More than HIPAA
While HIPAA compliance is often thought of as the only real concern, the consequences of non-compliance are a much broader topic than just meeting HIPAA requirements. Your organization must also comply with an array of other requirements, including federal and state regulations, accreditation standards, internal policies and procedures, financial requirements, and OSHA standards, to name just a few.
In a nutshell, you need to view non-compliance in healthcare more holistically than just one regulation.
For example, if your facility is a hospital that wants to receive or maintain tax-exempt status under section 501(c)(3) of the Internal Revenue Code, you now have to comply with new, specific requirements handed down by The Patient Protection and Affordable Care Act.
These are big changes for the “community benefit standard” that have been around for 40 years.
The potential risk involved in this area is far-reaching. How much could it cost your organization if you do not get control of this issue? This study of 46 organizations by the Poneomon Institute put the cost of non-compliance to be about 3.5 times higher than compliance ($820/employee for non-compliant organizations vs. $222/employee for compliant organizations), with an average of $9.6 million in costs for non-compliant organizations.
But the costs go beyond just dollars. Non-compliance leaves you at risk for financial losses, security breaches, license revocations, business disruptions, poor patient care, erosion of trust, and a damaged reputation. Here is a quick overview of the impact of non-compliance.
Fines and penalties
When you think of “cost,” you probably think of a specific monetary value because it is one of the most tangible consequences of non-compliance.
It is also (likely) the scariest to think about, as no one ever wants to get fined. To get a feel for the stiff financial cost of non-compliance in healthcare, an overview of HIPAA Resolution Agreements from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) shows this alarming statistic. HIPAA fines can be up to $1.5 million per incident per year, with more than $28 million in fines handed out in 2018.
With more healthcare providers switching to digital systems, and as information is increasingly being shared between networks, electronic data breaches are on the rise and becoming a major problem.
In a review of just a handful of security breach cases, Becker’s Hospital Review noted one case that levied $792,000 in fines against six hospitals and a nursing home “for failing to prevent unauthorized access to confidential patient information.” In another case, a Boston hospital agreed to pay the U.S. government $1 million to settle allegations (involving the loss of documents) that the hospital violated the HIPAA privacy rule.
Lawsuits and settlements
Besides the consequences of fines and penalties, non-compliance in healthcare also opens your organization up to lawsuits. These can tremendously impact your organization’s legal fees.
And, if employees were non-compliant, that increases the cost to settle those suits. That’s not to say compliance is a panacea for malpractice.
However, it certainly helps reduce the cost of settlements if you can prove you put safeguards in place and that your personnel was trained and aware of these safeguards.
Impact on patient care
The cascading effect of non-compliance also affects the quality of care you provide patients. When you follow poor practices and procedures, it leads to an increase in patient care issues. If your facility as a whole is not complying with regulations and standards, the impact will eventually be felt by the very patients you promise to serve.
It might not be immediate, but if you are fined for non-compliance issues, this will negatively impact your available resources to buy equipment or increase staffing. Furthermore, if you land in the news for a fine or penalty, it will begin to erode trust – both by patients and potential employees.
And if non-compliance forces you to disrupt or discontinue different services or procedures, even temporarily, it can devastate the operation of your facility.
On the contrary, if you are compliant, that means you are doing things “the right way,” which, over time, will lead to better results and better care for patients.
How do you get from non-compliance to compliance? Strong policies and procedures bridge the gap between the cost of non-compliance in healthcare and the benefits of compliance.
Policies and procedures
Compliance starts with setting and then communicating the expectations to employees, and this usually happens through strong policies and procedures. At a minimum, this helps mitigate your risk since it shows your organization was putting practices in place to comply with the many laws and regulations.
As mentioned in the ordinary non-compliance vs. negligence section, having these policies and procedures definitely provides a safeguard. But being able to prove that the policies were distributed and tracked and that employees were trained on those policies goes a long way to reducing risk and improving compliance.
You might consider a policy management software, like PowerDMS, to ensure those policies stay up to date with ever-changing regulations and those up-to-date policies are distributed and accessible by staff.
Track policy attestation
With the high turnover in healthcare, it is imperative that you are able to prove you have made your policies available and accessible to employees. While it is not required that you have employees sign off on each policy to acknowledge they have read and understood the policy, it is good practice to do so. Tracking who has signed off on each policy helps drive accountability. This, in turn, helps ensure compliance.
This is not only best practice in many other industries, but it reinforces two things to employees. First, it clearly spells out the expectations of your facility, which helps drive organizational accountability. Second, by signing each policy, employees are agreeing and committing to following these policies and procedures, which helps drive personal accountability.
Institute robust compliance training
While you are most likely providing some kind of compliance training, is it a cursory approach to simply “check that box” or is it a robust effort to really train to your policies?
Rather than taking a generic, do-the-right-thing stance to compliance training, dig deep and provide a more meaningful and memorable education experience. How? Your training and policies need to work hand-in-hand to reinforce each other.
Therefore, your training should cover the specific ways the laws and regulations apply to your employees’ jobs and the day-to-day healthcare compliance issues they actually face. Providing this type of specific, real-world training helps to show employees what to look for and how to apply the policies and procedures to specific situations they encounter. Learn more about building industry-specific regulatory compliance programs by checking out our article here.
Plus, robust training helps demonstrate the measures your facility is undertaking to achieve and maintain full compliance with your staff.
Again, a policy management software, like PowerDMS, helps track and connect all of these areas together: policies, signatures, and training.
While compliance is difficult, it is a necessary part of business operations that takes everyone focusing on the issue together – not just a compliance department or officer.
Your healthcare organization can only achieve compliance when every single employee takes responsibility for following procedures and regulations. Compliance is truly a team effort.