Compliance Strategies


Here are five compliance strategies that are guaranteed to fail going forward: (1) ostrich; (2) our staff's on top of it; (3) members of our legal team are compliance experts; (4) not invented here--healthcare is so different; and (5) the docs know best . Why are these the "Top Five?" Because it's the five that we hear most when we interact with the marketplace. They are indicative of why the healthcare industry, from the inside, has woefully failed to grasp the forces that are shaping it from the outside. 

There is good reason for this. First of all, the healthcare industry, as a whole, is the most insular industry in the U.S. economy; even the legal industry is no match for it with respect to insularity. Second of all, there are powerful forces within the healthcare industry that have invested hundreds of millions, if not billions, of dollars to ensure that the status quo remains undisturbed.

Why? The answer to this is obvious even to lay students of economics, the incumbents are protecting the last of the U.S. monopolies (OK the more precise economic term of art may be oligopoly, but for certain parts of the country monopoly is a better approximation of the ground game). This is not a question of what politics you choose to favor, simply what we believe to be an accurate reading of the economic circumstances as they exist in fact.

So what? The so what is that the long called for change to the industry is coming like a freight train in the night, and the U.S. government is an important, but ultimately not the most significant player, in this drama. The freight train is globalization. The momentum for change already has so much traction that it will not be denied. Sure, no one's crystal ball is good enough to predict, with any degree of certainty, who will be the winners and losers, but the fact that disruptive change is coming simply cannot be ignored. If you want proof then just follow the money. Some of the biggest technology and consulting companies are gearing up to benefit from, and in many cases actually drive, the disruption. 

Five Strategies Guaranteed to Fail

What does any of this have to do with compliance? Regulatory compliance will not escape unscathed from the disruption. Below are five strategies guaranteed to fail in the brave new world of next generation healthcare


1. Ostrich: Back in the good 'ole days when HIPAA was a paper tiger this was actually a viable, if not recommended, approach. Well respected consultants in the healthcare space publicly advocated this strategy. The strategy was essentially as follows: do the bare minimum possible by drafting some documents (e.g. notice of privacy practices), posting the necessary and/or recommended notice in clear sight, getting patients to sign on the dotted line, provide minimalist staff training, and not much else.

This strategy made business sense at the time because everyone knew that HIPAA, by and large, was one of those "feel good" pieces of legislation that was much talked about, but almost never enforced, at least not with respect to a large and statistically significantly (understatement) number of providers. Sure, there were some ANSI Standard administrative transactions to comply with, but there were relatively inexpensive solutions that met the need. This was the HIPAA everyone came to "know and love," despite the hue and outcry that big government was imposing itself on an industry that did not need (or want) this kind of regulatory oversight.

As counter-intuitive as this may sound, the HITECH Act will have many, if not most, of the healthcare industry pining for HIPAA's good 'ole days. This article hopes to shed some light on the new regulatory challenges by arguing that it is not simply (or mostly) big government (i.e. through HITECH's enhanced regulatory scheme) that is driving the need for change, it is the innovation that is occurring in the marketplace that will no longer support the regulatory status quo. Clearly, government is playing a role here, but it is not the dominant role that many suspect. I recently had a chief of staff at a major urban hospital tell me that he would rather stop practicing medicine than do all of the things now required under the HITECH Act.

This is not a surprising response, a number of colleagues have reported similar conversations. The response is quite understandable given the existing pressures that talented, hard working, providers experience on a daily basis. While I may empathize, the Ostrich head in the sand strategy is simply an unacceptable response. Why? Because not only is it potentially bad for business in an environment wherein PHI will be exchanged on a daily basis 24/7, and wherein patients will increasingly demand the kind of protection of personal information provided by online banking, it is likewise ill advised in a regulatory environment wherein HHS' enforcement regime has been enhanced dramatically.

There is no doubt that changes to the healthcare industry represented by the convergence of policy, law and technology will be daunting, but there are practical strategies for building a "good compliance story" that can be done incrementally and within available budgets. However, it will require a change to the existing culture of resistance, and that CHALLENGE by itself dwarfs all others.

Our Staff's On Top of It

2. Our Staff's On Top of It: Unless the board of directors ("BOD") and the executive management set the right tone and allocate the necessary resources, the cultural changes required to implement an effective compliance strategy will never be realized, and the organization's HITECH/HIPAA/EHR implementation is likely to be yet another EHR disaster. Resources must be allocated to re-train existing compliance staff in the brave new world of twenty first century privacy and security. Almost universally within the healthcare industry, compliance staff has not been adequately educated regarding the import of the HITECH Act. This is not mere self serving hyperbole but rather a reflection of our interactions with otherwise qualified staff. To a person, these individuals completely lack a baseline understanding of the HITECH Act and its corresponding regulations, but more importantly the implications of same. For the most part, these individuals already perform yeoman's work without sufficient resources. Asking an already challenged staff to grapple with concepts completely foreign to them (i.e. the convergence of policy, law, and technology) is setting them up for failure, and thereby ensuring that the organization itself cannot meet its objectives. Simply stated, your staff is not on top of it nor is it reasonable to make that assumption. The problem is an order of magnitude more complex than anything they have previously dealt with.

Members of Our Legal Team are Compliance Experts

3. Members of Our Legal Team are Compliance Experts: The world has changed for compliance attorneys like it has for all others. However, the challenges here are different in kind than those faced by internal compliance staff. In general, outside compliance counsel has both the resources and the incentive to stay current with emerging statutes and regulations. The issue here is not one of compliance competency but rather that compliance has become so intermingled with technology issues that many compliance attorneys simply lack the technology competency to effectively counsel their clients regarding the HITECH Act's transformation of HIPAA. In short, compliance is a wicked problem precisely because it now encompasses legal, technology, policy, organizational and generational complexity. The problem is one of multidisciplinary competency because of the convergence dilemma. The legal perspective on the problem must of necessity be broader than it has been in the past. Your legal compliance team will need to learn the equivalent of a foreign language to effectively interact with all the other stakeholders that now have skin in the game (e.g. health information technology staff and consultants). It is not that competent legal counsel does not have the capacity to learn a new language, but rather that the healthcare industry is now, probably for the first time, competing on Internet time. There is simply not enough time available for all required stakeholders to climb the necessary learning curves. The healthcare industry is going to see a fierce competition for knowledgeable staff across the board.

Not Invented Here (NIH)--Healthcare is So Different

4. Not Invented Here (NIH)--Healthcare is So Different: It appears that the who's who of the technology industry (e.g. Google, Microsoft, IBM et. al) have all taken a keen interest in the billion dollar healthcare market; so have the Big Four consultancies. This should be a signal to the healthcare industry that technology giants will continue to take a patient's pulse and that the consultants are staffing up to launch their own significant initiatives, all of which in aggregate will prove disruptive to the status quo. As a general principle we do not favor "big bang" implementations (often favored by the "big boys" because of the tens of millions of dollars that can be generated in software licensing and professional services fees). We continue to believe that this type of approach will not succeed in the healthcare industry (i.e. for reasons similar to why it has failed elsewhere), however we welcome the entrance of these players into healthcare because of the expertise they bring from other industries. Some of the most daunting problems faced by providers and facilities have already been solved. Sure the context is different and the healthcare industry is inordinately complex, but many lessons learned are directly applicable. The "new blood" is a healthy development for an otherwise overly myopic and insular industry. Simply put, the healthcare industry has a potentially lethal case of NIH that must be cured in order for real innovation to occur. This applies as much to a privacy and security strategy as to an EHR implementation strategy since at certain "touch points" the two are inseparable.

Docs Know Best

5. Docs Know Best: A viable compliance strategy is all about risk management. However, it is highly probable that compliance risk is simply not yet a major blip on the healthcare industry's radar. Why? Because historically compliance risk, for all intents and purposes, was close to non-existent. Sure, providers and facilities paid lip service to HIPAA when it was a paper tiger, but then lip service was all that was seemingly required. HIPAA simply had no teeth and the industry had more than its fair share of challenges to deal with. However, now the game has changed and there is a new sheriff in town. So what does this have to do with "docs know best?" In the healthcare industry, for the most part, it is the docs' world and everyone else just lives in it. That said, the docs don't "fear" HITECH / HIPAA because in the past there was nothing to fear. If the docs have no fear then everyone else lower on on the proverbial totem pole is likely to follow suit, even if/when they come to know better. Other staff will simply not be capable of providing sufficient countervailing force to overcome the docs' position power. However, the organizational problem is even more insidious than mere clout. The docs as a group are clearly among our "best and brightest." They are accustomed to being right and are uncomfortable (as are most professionals) when pushed outside of their comfort zone. In short, even those among them that take sufficient interest to start the education process will not readily recognize the wickedness of the challenge that lies ahead. As in most things in this brave new world, there are no cookbook answers to this problem. However, before you begin to solve a problem you must first come to terms with the fact of its existence. The problem for the "really smart docs" (i.e. those humble enough to recognize there own limitations) is to figure out which partners to trust going forward (no small feat).