Top Compliance Issues in Healthcare for 2019
Given stringent federal patient privacy laws and the growing threat of cyberattacks and data breaches, the conventional wisdom is that healthcare organizations are investing more resources than ever on compliance. But a recent industry study suggests healthcare providers have a long way to go when it comes to compliance.
SAI Global’s 2018 Healthcare Compliance Benchmark Report, which surveys compliance professionals in the healthcare provider industry, found that 20 percent of healthcare companies have only one full-time person handling compliance, while another 13 percent indicated the vital task is handled by one part-time worker.
Compliance budgets are also largely stagnant, the survey found, with 50 percent of respondents expecting their budgets to remain the same in the coming year and another 10 percent expecting reductions. “[E]vidence suggests that many of these programs are not fully developed or effective,” the report’s authors concluded.
Corporate Compliance & Ethics Week, which runs Nov. 4-10, represents the perfect time for healthcare organizations to revisit their compliance policies before the new year. With that in mind, here are two major trends compliance officers will likely encounter heading into 2019.
More Consequences for Data Breaches
The SAI Global survey found that the biggest jump in compliance professionals’ concerns was related to HIPAA security and cybersecurity, which is now the most-named high-priority issue, cited by 64 percent of respondents. HIPAA privacy is second at 51 percent.
"One of the top healthcare compliance issues for 2019 will be maintaining strong HIPAA security compliance,” says attorney Matt Fisher, a partner and chairman of the health law group at Massachusetts-based law firm Mirick O’Connell. “Breaches continue to occur at a steady pace from a combination of both internal and external causes such as hackers, viruses and other malicious attacks.”
Fisher says the issue, which is already at the forefront for most compliance professionals given continuing high-profile data-breaches, is going to take on even greater importance given the likelihood of increased federal enforcement of privacy laws.
Recent statements by Roger Severino, Director of the Office for Civil Rights at the U.S. Department of Health and Human Services, signal a willingness to conduct more HIPAA audits that result in fines, Fisher says.
Fisher says Severino has indicated that earlier desk audits were a preliminary fact-gathering process during which OCR learned about issues concerning HIPAA compliance and where organizations were falling short. The earlier audits did not result in fines or other penalties.
“However, now that organizations have received fair warning about the audits, OCR will look to impose fines in the event conduct is found that OCR deems worthy of a fine,” Fisher says. “While the type of conduct worthy of a fine could be debatable, the message is clear that organizations need to take compliance seriously and cannot ignore HIPAA obligations.”
On Oct. 15, the OCR announced the largest HIPAA penalty in history, fining an insurance firm $16 million for a series of cyberattacks that led to the largest U.S. health data breach in history, exposing the protected information of nearly 79 million people.
“While compliance cannot control the actions of external actors, it is possible to help ensure that appropriate resources are directed to securing systems,” Fisher says. “When it comes to internal causes, compliance needs to appropriately educate and monitor activity. If individuals are armed with knowledge of the law, then it becomes easier to do the right thing. However, trust cannot be blind, and that is where auditing and monitoring is necessary.”
Smarter Social Media and Marketing
Christy Owenby, founder and Creative Director at MOXY Co., a Louisiana-based marketing firm that specializes in the healthcare industry, says healthcare companies need to take greater care to ensure they’re not violating patient privacy with their social media accounts.
“The thing about social media that gets a lot of people in trouble is that the practice, physician or hospital has an internal employee that is not qualified or trained to protect the physician or patient information when posting on social media,” says Owenby, who is a Bronze Fellow in the Mayo Clinic Social Media Network.
Small and inadvertent mistakes on social media can have serious consequences. Owenby cites a common example: an adult child of a patient who thanks a health care provider via social media for the quality service they provided her parent. “If a practice then responds to that and acknowledges that person was a patient, then very innocently you’ve violated HIPAA,” she says.
She says that in such situations, if a healthcare organization is going to respond to praise, it’s best to perhaps like the post and respond a general way, such as “caring for all of our patients in a compassionate way is a passion of ours.”
Owenby says another common mistake is posting seemingly innocuous photos, often of staff, with identifying patient information in the background. She says this also happens via the private social media of healthcare facility staff. “Those are the kind of things that are innocently done but can put a patient’s information at risk,” she says.
Training staff to prevent these patient information breaches is essential, she says, as is a marketing team that understands healthcare compliance and can blur out any identifying information in the background before an image is posted. For larger social campaigns, she says, it’s essential that marketing teams work with the legal and regulatory team upfront to ensure full compliance for any campaign rather than waiting for a problem to surface.
Staying proactive about data security and appropriate social media use will be important for all healthcare leaders as we look into 2019.