In the complex world of healthcare, compliance with federal, state and international regulations is not just a moral and ethical responsibility—it’s a financial one. The cost of non-compliance in healthcare can be staggering, with fines, penalties, legal fees, and reputation damage all posing significant risks to healthcare providers. This blog delves into the real cost of non-compliance, highlighting notable examples of fines and penalties while underscoring the importance of robust compliance programs.
Financial Repercussions
A myriad of regulations exists in healthcare, including those related to patient privacy (HIPAA), billing practices (Medicare and Medicaid), and data security. Non-compliance can lead to audits, investigations, settlement agreements, and ultimately hefty fines – and those are just some of the tangible costs we can quantify. The cost of non-compliance is sometimes a forgotten topic when finalizing the organization’s budget.
- HIPAA Violations: One of the most publicized areas of healthcare compliance is the protection of patient information under the Health Insurance Portability and Accountability Act (HIPAA). Violations can result from inadequate training, employee negligence, and ever-pervasive cybersecurity issues. The gravity of cybersecurity cannot be overstated, as the issues pose significant risks to patient safety, privacy, and integrity of the healthcare system. Breaches can lead to fines and legal challenges, not to mention the erosion of patient trust.
In the Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance for CY2022, the Department of Health and Human Services (HHS) reported a significant increase in HIPAA complaints (17% increase from 2018 to 2022) and large breaches (107% increase from 2018 to 2022). The HHS Office of Civil Rights (OCR) completed 846 compliance reviews and required the entities to take corrective action and/or pay civil monetary penalties that totaled $2,425,640 in 674 of the investigations. Covered entities and business associates are not always prepared for compliance reviews that are brought to the OCR’s attention. The cost of an imposed resolution agreement may result in compliance program improvements but can be operationally disruptive.
- Medicare and Medicaid Fraud: Billing fraud is another area where non-compliance costs can skyrocket. In 2020, Novartis Pharmaceuticals Corp. agreed to pay $678 million to settle a lawsuit that accused the company of paying kickbacks to doctors to induce them to prescribe its drugs. This suit was brought under the Anti-Kickback Statute, a criminal law originally enacted in 1972 and amended and expanded several times since its inception.
Several organizations have also been issued Corporate Integrity Agreements (CIA) for violations of this statute. Benchmarking your compliance program to the CIA is an excellent exercise and can be used as a means for identifying risks and making program enhancements.
One of the Seven Elements of Effective Compliance Programs is auditing and monitoring. Auditing contracts for high-risk areas such as items related to the Stark Act and Anti-Kickback Statute can assist with preventing improprieties. A compliance workplan should include the continuous review of physician and/or medical director contracts based on risk, adherence of policies to the contracts, a review of financial payment to the contracts, and all associated documentation to support payment.
- Quality of Care Violations: Non-compliance related to the quality of care can also lead to significant penalties. For instance, in 2019, a skilled nursing facility chain was fined $3.5 million for not meeting certain federal standards of care, which directly impacted patient health outcomes. The adage, “If it wasn’t documented, it wasn’t done,” not only can lead to financial consequences for billing but truly impacts the care of the patient.
In February 2024, a settlement agreement of $25.5 million was reached with Lincare for fraudulent billing practices that also impacted the quality of services to patients. Essentially, monthly claims for payment of respiratory equipment were submitted to the federal health care program that were not medically necessary or the beneficiary had stopped using the device.
Beyond the Fines
What are the intangible costs of non-compliance? Here are some of them:
- Reputation Damage: Publicized violations can erode patient trust, potentially leading to a loss of business. Restoring a tarnished reputation can take years – if not decades – and significant investment. Violating an individual’s right to privacy can impact a community’s trust and confidence in the organization and its leadership. Reputational damage may also negatively impact:
- Employee morale
- Recruitment of specialty physicians and quality leadership
- Philanthropic giving
- Operational Disruption: Addressing compliance issues can divert resources from patient care and other operational priorities, impacting the organization’s overall performance. Responding to an initial inquiry or reported incident on a compliance matter can consume countless hours investigating; however, ignoring a matter may result in whistleblower action, retroactive audits, data analysis, and/or legal and compliance review that will deplete more resources quickly over a greater length of time. It is best to prevent, detect, and deter.
- Increased Scrutiny: Once an organization faces penalties for non-compliance, it may come under increased scrutiny from other agencies and regulators, leading to more audits and inspections. The social media trajectory has created a new level of exposure for all organizations.
- Insurance Costs: Non-compliance can lead to higher insurance premiums, as insurers assess the organization as a higher risk. This is particularly the case since the advent of cybersecurity breaches of patient information.
Building a Culture of Compliance
Key strategies for building and maintaining a robust compliance program include:
- Ongoing Training: Ensure that all employees understand the relevant regulations and their roles in maintaining compliance. Most important is to emphasize the duty to report a concern or issue. One of the purposes of reporting is to prevent, detect, and deter to give the organization an opportunity to correct an impropriety before the problem becomes systemic and repeated.
- Targeted training is important for patient registration to obtain accurate data and information from the first point of entry.
- Specialized training should be given around health information management, regarding documentation requirements and orders that support the service to be delivered.
- Educate revenue cycle staff to understand payor reimbursement, fee schedules, national coverage decisions, local coverage decisions, denials, and the “why” behind the denial and the circle of services provided to right reimbursement.
- Train for utilization review and quality to understand the intersection of compliance and quality providing examples from settlement agreements and more.
- Risk Assessments: Conduct regular assessments to identify and mitigate risks of non-compliance. This establishes a framework for improvement.
- Policies and Procedures: Develop clear, accessible policies and procedures that align with all applicable state and federal regulations. Then, monitor adherence to the policies to reduce risk to the organization.
- Compliance Officer: Your organization’s Compliance Officer should be a part of senior management. This sends a clear message throughout the organization, lends credibility to the compliance program itself (internally and externally) and makes it more likely that employees will take compliance seriously.
- Reporting Mechanisms: Implement confidential reporting mechanisms for employees to report potential compliance issues. The emphasis here is not just one mechanism, but several. Transparency and the ability to voice concerns without retribution are crucial to the success of establishing a healthy culture.
The cost of non-compliance in healthcare extends far beyond fines and penalties. It encompasses legal fees, reputational damage, operational disruptions, and more. Investing in compliance is not just a legal obligation—it is a critical component of a healthcare organization’s operational excellence and commitment to patient care.
Shawn DeGroot CHC-F, CCEP, CHRC, CCPC is president of Compliance Vitals, providing consulting services for clients in need of practical guidance in a complex healthcare regulatory environment. She served on the faculty of the HCCA Privacy Academy and served five years on Board of Directors for St. Charles Health System, Bend, OR. Shawn’s area of expertise is also Corporate Integrity Agreements to include experience in seven CIA’s with the first CIA pertaining to Stark and Anti-kickback. She also is a past president of HCCA/SCCE and serves on an advisory group to the HCCA/SCCE Board of Directors.
Qualified compliance professionals do the heavy lifting for you, simplifying regulatory change management
Our in-house team works tirelessly to monitor U.S. regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm. Follow the button below to get a tour of our healthcare compliance software.
Get the latest from healthcare compliance experts
Never miss an article from Shawn Y. DeGroot. Sign up for YouCompli’s weekly email if you haven’t already.