Last week SAI Global released a report on compliance trends in the healthcare sector, with conclusions telling enough that even compliance professionals in other industries should give the report some attention. The lessons and frustrations they feel in that sector might feel familiar.
The report polled 388 compliance officers across a range of hospital systems, medical practices, nursing homes, and other healthcare businesses. Some questions were typical inquiries about budgets and staffing, others about compliance priorities and techniques to measure the effectiveness of your program. Let’s take a look.
Compliance officers are getting mixed messages about priorities. To no surprise, the top concerns among compliance officers were cybersecurity (cited by 64 percent of respondents) followed by HIPAA privacy (51 percent). Next were fears about accuracy of billing claims (44 percent) and corrupt arrangements among healthcare providers to bilk more money out of the system (35 percent).
At a gut level, that resonates. Any compliance officer these days, in any business sector, will say cybersecurity is the board’s top priority.
Healthcare enforcement agencies, however, have those priorities reversed: their top priorities are corrupt arrangements that violate the Stark Act or the Anti-Kickback Statute; and billing fraud under the False Claims Act. Most major enforcement actions from the Justice Department or the Health & Human Services Department involve violations of those laws, with HIPAA and other cybersecurity issues much further down the list.
That also resonates at a gut level; it speaks to the inchoate approach to oversight of cybersecurity that we still have in the United States. Corporate boards worry about cybersecurity because they can’t not worry about it — but the most severe punishments for cybersecurity lapses are meted out in civil litigation and the stock market, not by regulatory enforcement. Target paid $18.5 million last year to settle regulatory probes from its massive 2013 data breach, less than 0.1 percent of total 2017 revenue. Its share price of $71 these days is 27 percent higher than its early 2014 lows immediately after the breach.
We have a disconnect in corporate compliance between what gets enforced — billing fraud, the FCPA, financial statement accuracy, money laundering, export violations — and what gets talked about, which is cybersecurity.
Tight staffing levels can drive compliance process innovation. The SAI Global study also found a large number of compliance functions with a small number of people working in the compliance function. Seventy-five percent of respondents said their compliance function has five or fewer staffers; 20 percent said the function is only one full-time person.
Now, guidance from the HHS Department’s Office of Inspector General (the top regulator for healthcare compliance) specifies that for a compliance program to be effective, the program must have adequate staff and budget to meet its objectives. That’s quite similar to the Justice Department’s guidance from 2012 on FCPA compliance, which said a compliance program should have “sufficient resources to ensure that the company’s compliance program is implemented effectively.”
On a practical level, that means organizations with small compliance teams (most of you) must embrace innovations in technology and business process management. That’s the only way your small team (thanks, stingy CFO) can achieve all those compliance objectives.
How much is that happening? You tell me. For example, the SAI Global report also found that half of respondents still manage compliance documents manually — that is, through email, spreadsheets, and the like. That’s not innovative compliance. Nor is it wise, given the host of documentation demands placed upon compliance departments. I suspect we could find similarly alarming statistics about many other compliance program operations.
Those alarming statistics bring us to this: Compliance officers need to think about how to gear their organization’s business processes to generate data more clearly and easily. That’s the precursor to compliance automation, and to your small compliance team leveraging technology wisely.
Assessing effectiveness of your compliance program is, fundamentally, an exercise in looking at business processes and saying (ideally), “Yep, these processes work as we intended, and according to our policies and procedures.” You can’t make that determination unless you have information about how those processes work.
“Information about how they work” is just a fancy way of saying “data.” If you have to extract the data manually, your small team will be overwhelmed. The more you design business processes to embed compliance requirements in them, and use technology that can extract performance data in an automated fashion— then you’ll be able to do the fabled “more with less.”
And then use your spare time to argue with the board about priorities.