What is the true cost of HIPAA and HITECH non-compliance? The answer today looks very different than it did even a few years ago.
Previously, noted Eric Mueller, president of the Services Division for WPC, “There was no stick. The cost of compliance was higher than the cost of the fines.” In 2008, the Seattle-based data integration company launched WPC Services, an international healthcare consulting organization headquartered in Brentwood and led by Mueller, a health technology executive with extensive expertise in all aspects of healthcare, including security and compliance.
In fact, he continued, enforcement really only occurred if a covered entity was ‘outed’ by a disgruntled trading partner, client or patient whose assertion that a company was operating in a fashion outside of HIPAA guidelines came to the attention of federal officials.
That was then … this is now.
Mueller said today there is not only increased enforcement in terms of proactive audits but the associated costs of non-compliance extend beyond monetary fines. How, for example, does a company truly gauge the harm to brand equity for a data breach that requires the media be notified?
He cited recent retail breaches — Sony, Zappos, T.J. Maxx — as examples of the impact lax security measures or compliance could have on businesses. In each of these cases, the involved companies saw a drop in revenue and in consumer confidence.
“When you have a violation or breach, and there is a perception that your data is not secured properly, it definitely erodes the brand,” he said.
With increasing competition and consumer choice in the healthcare sector, the perception of inadequate HIPAA and HITECH protections could be enough to send patients to another provider. Interestingly, Mueller said problems don’t typically occur because of confusion over government expectations or a lack of governance policies at the company level. Instead, breaches are often the result of poor training and execution on the front lines.
“More times than not, we find healthcare organizations understand what the law requires, and they have governance policies that outline what procedures should be followed. However, what’s really happening doesn’t always align with policies,” he said. “If I’m an auditor, I’m going to talk to the network administrator or security architect, and they are going to say they have policies in place. Our next question is, ‘how do you know your people are adhering to that?’”
He added, “Unless you are holding people accountable, it’s not really corporate policies … it’s more like corporate recommendations.”
A healthcare company’s responsibility doesn’t simply lie in creating compliance and governance policies. Covered entities and their business associates must also self-audit to ensure strict adherence to those policies.
Like quality, Mueller continued, compliance doesn’t have a starting and stopping point. “It’s a constant in your organization. All compliance policies need to evolve as technology evolves.” A security plan written three years ago, he noted, is already outdated considering the advances in cloud computing and adoption rates of mobile devices.
However, Mueller cautioned against automatically saying ‘no’ to new options and ideas just because they might be deemed risky in terms of securing data. “There’s a perception that in order to comply, companies have to be so rigid that innovation cannot flourish. That’s wrong. That’s absolutely wrong,” he stated unequivocally.
Instead, he said, make sure staff members or contracted consultants who are charged with governance and compliance have a seat at the table when it’s time to discuss ways to innovate and evolve the business model. “Make security and compliance part of the process … not an afterthought.”
Like most experts in the field, Mueller stressed the federal government has been quite clear in what is expected and acceptable when it comes to crafting and implementing security and compliance programming. “People really can’t afford to sit idle and do nothing,” he said of today’s enforcement landscape. “If you take the approach that the cost of compliance is too high, then you’re not really informing yourself.”
In fact, he said the three best weapons in creating workable security and governance policies are education, networking and making sure you have the right oversight. Education is readily available through government websites and through national organizations and their local affiliates including Healthcare Information and Management Systems Society (HIMSS), AHIP (America’s Health Insurance Plans), and Healthcare Financial Management Association (HFMA). In addition, the major provider membership bodies including the AMA, AHA and MGMA-ACMPE also have resources to assist in structuring and implementing appropriate policies.
“All of these organizations provide what I call non-vendor-driven information. It is critical to get advice from peers in your industry … not someone trying to sell you something,” Mueller said. “Never ask a life insurance salesman if you need life insurance,” he added with a laugh.
The second key is to tap into the power of networking. “You have to create brain trusts where you can collaborate and share ideas,” he stressed. Locally, he continued, the Nashville Health Care Council, Nashville Technology Council, TN HIMSS and other organizations host seminars and workshops around the topics of compliance and governance. Mueller said a little due diligence should uncover a wealth of resources.
Finally, hire people who know what they are doing. For some, that might be a full-time staff member. For others, the solution might be to collaborate with a consultant. “You need experts to provide wisdom … that gets you going in the right direction,” Mueller said.
Perhaps the most important step is the first one. “It really is a battle of inertia,” Mueller said. “You have to start small, get small wins, and gain momentum.”