Most healthcare compliance officers prioritize the compliance of their organizations with the HIPAA Privacy and Security Rules. However, the enforcement actions of the Department of Justice and the HHS Office of Inspector General (OIG) are not focused on HIPAA violations or security breaches. More penalties are actually issued on corrupt arrangements with referral sources and false claims than on HIPAA violations. Now these compliance issues being penalized are relatively low down the list of priorities of healthcare organizations according to a survey by SAI Global and Strategic Management Services.
The survey involved the compliance officers of 388 healthcare organizations covering small physician practices and large integrated hospital systems. The purpose of the study was to pinpoint the key issues that compliance officers face and how they respond and prioritize their resources. The top priority of healthcare organizations according to the respondents is dealing with HIPAA data breaches and the biggest concern was HIPAA privacy and security.
Indeed the past two years has seen a growing list of HIPAA enforcement actions. But the penalties for false claims and arrangements with referral sources are not that many. The compliance officers actually rank claims accuracy third on their priority list while arrangement with referral sources was fifth. It seems that there is a gap between what the OIG and DOJ see as high risk and what compliance officers see as high risk.
Considering the survey results, compliance officers need to better align their priorities and programs with what the regulatory and enforcement agencies deem important. It is understandable why HIPAA compliance is the focus of many healthcare organizations. Partly, it is because of the increased enforcement activity by OCR, the media activity regarding healthcare data breaches and the high fines that covered entities pay for not complying with HIPAA Rules.
Compliance officers regard HIPAA privacy rule compliance as top priority and focus their resources on it. The study results show that only 1 of 5 compliance officers feel their company is well prepared for a compliance audit. Last year, only 30% of compliance officers said they were highly prepared for an audit while 50% said they were moderately prepared. This year, the percentage of moderately prepared organizations increased to 61%.
The study also suggests that while compliance officers have more workload, the budget remains the same. Aside from overseeing the organization’s compliance with HIPAA Privacy and Security Rules, compliance officers are also responsible for conducting internal audits and providing legal counsel. “Compliance offices are being stretched thin to meet their obligations.”
It probably would help healthcare organizations to use third party compliance assessments. But only a quarter of respondents said they use these tools. Three quarters of respondents still employ self assessments, internal surveys and compliance checklists for their organization’s compliance programs. Surely, healthcare organizations need to remove barriers and deal with the increased responsibilities being laid on compliance officers so that they would not be distracted from the development of effective risk controls.