Healthcare regulatory compliance is the practice of meeting or exceeding the requirements of all applicable federal, state, local, and industry regulations and any voluntary standards a healthcare organization adopts in order to demonstrate a good faith effort to comply with the regulations. Due to the number of regulations and standards a healthcare organization may have to comply with, healthcare regulatory compliance is complex and has the potential for failure in many different areas.
Most healthcare organizations are required to comply with dozens of federal, state, local, and industry regulations. The regulations can cover subjects as diverse as building safety, data security, codes of conduct, the regulation of controlled substances, and the provision of medical assistance in emergency circumstances. To complicate the challenge of healthcare regulatory compliance, some regulations conflict with each other, while others duplicate standards from other regulations.
It can also be the case that some regulations exempt healthcare organizations from complying with some standards, but not with other standards. An example of this scenario is when a state privacy law exempts HIPAA covered entities from complying with its standards relating to Protected Health Information (PHI), but not from complying with its standards for individually identifiable non-health information maintained by the same organization in a separate non-protected record set.
The Importance of Regulatory Compliance in Healthcare
To understand the importance of regulatory compliance in healthcare, it is necessary to understand the purposes of federal, state, local, and industry regulations and why they exist. Although it is not practical to provide a synopsis of – and the reason for – every healthcare regulation, the following list provides a cross section of regulations a healthcare organization may have to comply with.
The Health Insurance Portability and Accountability Act (HIPAA)
The purpose of HIPAA was to reform the health insurance industry. But, due to concerns that the cost of the reforms would be passed onto employers and employees in the form of increased, tax-deductible premiums – and the impact this would have on Treasury revenues – Congress adopted measures to mitigate the costs to the health insurance industry by reducing fraud, waste, and abuse in the healthcare industry and simplifying the administration of healthcare transactions.
The measures to simplify the administration of healthcare transactions led to the HIPAA Privacy, Security, and Breach Notification Rules. These Rules stipulate permissible uses and disclosures of PHI to protect patient privacy, the safeguards required to ensure the confidentiality, integrity, and availability of electronic PHI, and the procedures for alerting individuals when their health information has been accessed, viewed, or acquired without authorization.
The Conditions of Participation in Medicare and Medicaid
The original conditions of participation in federal Medicare and Medicaid programs were published in 1966 by the Social Security Administration to provide a baseline of care for qualifying beneficiaries throughout the country. As the Medicare and Medicare programs expanded, further conditions for participation have been added, and the responsibility for enforcing compliance transferred to HHS’ Centers for Medicare and Medicaid Services (CMS).
The penalties for non-compliance with the conditions of participation are the same as the penalties for non-compliance with HIPAA – plus non-compliant organizations can also be excluded from federal health programs. CMS has yet to issue a civil monetary penalty for non-compliance with the conditions of participation, but has referred non-compliant healthcare organizations to HHS’ Office of Inspector General when there is evidence of fraud, abuse, or misconduct.
HHS’ Office of Inspector General Exclusions List
HHS’ Office of Inspector General (OIG) investigates individuals and organizations suspected of fraud, patient abuse and neglect, or other incidents of misconduct – for example, violations of the Social Security Administration’s Anti-Kickback Statute or the Stark Law. Individuals and organizations found guilty of fraud, abuse, or misconduct are excluded from the Medicare and Medicaid programs in addition to being fined and/or given a custodial sentence.
In the context of healthcare regulatory compliance, healthcare organizations are prohibited from conducting business with, or engaging the services of, an individual or organization that appears on the HHS OIG Exclusions List. Healthcare organizations that violate this condition of participation can themselves be excluded from the program, fined up to $20,000 per violation, and made to repay up to three times the amount claimed for non-compliant services or items.
The Emergency Medical Treatment and Active Labor Act (EMTALA)
Another way in which healthcare organizations can be excluded from federal health programs is by violating EMTALA. Congress passed EMTALA in 1986 to eliminate the practice of “patient dumping” – a practice in which healthcare organizations refused to provide emergency medical treatment to individuals because of their inability to pay. The Act also prohibits healthcare organizations from discharging patients prematurely because of high anticipated treatment costs.
To comply with EMTALA, healthcare organizations must implement policies for ED workforces to ensure an appropriate screening exam is provided and, if the patient has an emergency medical condition, stabilizing treatment is provided or the patient is transferred to a facility with appropriate capabilities. In addition to being excluded from federal health programs, healthcare organizations that violate EMTALA can be fined up to $129,233 per violation and subject to civil damages.
The Occupational Safety and Health Act
The Occupational Safety and Health Act (OSH Act) in 1970 created the Occupational Safety and Health Administration (OSHA). The Administration was authorized to develop standards for workplace safety and health to reduce the number of avoidable accidents, injuries, and workplace illnesses attributable to poor working conditions. The Administration enforces the standards via a program of inspections and investigations in response to accident reports and workforce complaints.
OSHA compliance consists of complying with applicable safety and health standards, maintaining injury and illness reports, and providing safety training to members of the workforce exposed to specific risks (i.e., bloodborne pathogens). Healthcare organizations that fail to comply with the OSHA requirements can be fined up to $161,323 per violation depending on the nature of the violation, the organization’s history of compliance, and its cooperation during an investigation.
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS is a contractual obligation (rather than a rule or regulation) that has the objective of ensuring the security of debit and credit card transactions and protecting cardholders against fraud, theft, and the misuse of their personal information. The actual standards themselves closely match the Technical Safeguards of the HIPAA Security Rule, so healthcare organizations that comply with the Security Rule will automatically be in compliance with PCI DSS.
However, when personal information and/or payment information is stored independently of PHI, different breach notification procedures apply if the information is accessed, viewed, or acquired without authorization. The procedures are most often governed by states’ data breach rules; but it is important to be aware that some data breach laws extend across state boundaries and apply to citizens of the state regardless of where the breach of personal or payment information occurs.
Food and Drug Administration (FDA) Regulations
Among other responsibilities, the FDA ensures the safety and effectiveness of drugs, biologics, and medical devices. However, because the Administration is the enforcer of more than two hundred laws, regulations, and standards, there is no one-size-fits-all approach to FDA regulatory compliance in healthcare. It is up to each healthcare organization to determine which FDA laws, regulations, and standards apply to their activities and implement compliance programs for each.
To ensure compliance with healthcare-related laws, the FDA’s Office of Regulatory Affairs conducts regulatory assessments, inspects drug facilities, oversees laboratory testing and clinical trials, and investigates fraudulent or other criminal activities that threaten public health. The Office has the authority to seize unregulated goods, obtain injunctions against healthcare organizations operating unlawfully, or pursue criminal convictions through the FDA’s Office of Criminal Investigations.
Physician Payments Sunshine Act /CMS Open Payments
The Physician Payments Sunshine Act is an Act requiring the transparency of financial relationships between healthcare organizations and drugs companies – including suppliers of biologics, medical supplies, and medical devices. The purpose of the Act is to prevent conflicts of interest that could result (for example) in a patient being provided with an unsuitable medication or an unnecessary treatment because the healthcare provider has a financial interest in doing so.
CMS oversees compliance with the Act via the Open Payments Program, which does not prohibit healthcare organizations from receiving payments or items of value from drugs companies, but requires that payments are reported accurately, completely, and in a timely manner. CMS has the authority to audit healthcare organizations in federal health programs for compliance with the Sunshine Act, and can impose civil monetary penalties of up to $1 million per violation for non-compliance.
State Privacy and Data Security Legislation
State privacy and data security legislation can create more compliance headaches for healthcare organizations than the web of federal legislation. To date, thirteen states have passed some form of consumer protection, privacy, and/or data security legislation, while a further eighteen states have legislation at the committee stage or beyond. In many cases, state legislation can increase an organization’s healthcare regulatory compliance obligations by filling the gaps in federal legislation.
An example of this is the Texas Medical Record Privacy Act which defines covered entities as any person or organization that assembles, collects, analyzes, uses, evaluates, stores, or transmits PHI. This means that a healthcare organization that does not qualify as a HIPAA covered entity or business associate still has to comply with the HIPAA regulations in respect of any PHI relating to a resident of Texas – regardless of where the healthcare organization is located.
Local Fire, Building, Noise, and Safety Codes
Local fire, building, noise, and safety codes can also increase an organization’s healthcare regulatory compliance obligations by requiring more stringent protections for patients, the workforce, and the community in which the organization is located. Although the financial penalties for local code violations are minor in relation to the penalties for violations of federal or state regulations, citations can be issued for some unusual violations (i.e., the failure to remove graffiti from a building).
With regards to requiring more stringent protections than federal or state regulations, there are likely examples of this in every location. For example, in Dallas, §403.11.1.3 of the local Fire Code has more stringent qualifications for standby personnel than OSHA; in New York, §28.103.21 of the Construction Code has more stringent injury reporting requirements than OSHA; and hospitals in Atherton, CA, are not be permitted to use gas-powered leaf blowers under §8.16.040 of the Atherton Municipal Code.
Healthcare Regulatory Compliance Issues and Challenges
In addition to the healthcare regulatory compliance issues and challenges that have already been mentioned (i.e., conflicts, duplications, and partial exemptions) a further issue is that – although individual regulations may not change frequently – because a healthcare organization may have to comply with (say) twelve regulations, if each regulation adds or changes a standard once a year, it is the equivalent of a change to the healthcare regulatory compliance requirements once a month.
The frequency of regulatory changes is not necessarily a challenge if, for example, the change relates to a little used process or a process that is used by a small number of the workforce (i.e. electronic signatures in healthcare transactions). However, larger scale changes – such as changes to the HIPAA Privacy Rule – will have an impact on most healthcare organizations, their Notices of Privacy Practices, workforce policies and procedures, and sanctions for impermissible disclosures.
When regulatory changes represent a material change (for example, the changes to disclosures of reproductive health information), it is also necessary for healthcare organizations to provide members of the workforce whose roles are affected by the changes with additional HIPAA training. While it can be the case that the timing of the mandated training coincides with scheduled refresher training, it can equally be the case additional resources may be required to comply with the training requirement.
As one-off events, these healthcare regulatory compliance issues and challenges are usually manageable. However, over the next year or so, a large number of regulatory changes are scheduled that could create simultaneous compliance challenges for organizations impacted by the FDA’s proposals for remote regulatory assessments, the new CMS requirements for hospital epidemic preparedness, and HHS’ recently released Cybersecurity Performance Goals.
The Benefits of Adopting Voluntary Healthcare Standards
Voluntary healthcare standards are standards that most often exceed the healthcare regulatory compliance requirements to better protect patients, healthcare data, or members of the workforce. Examples include the Joint Commission accreditation standards, ISO 7101:2023, SOC 2, and the American Institute of Architects’ Acoustic Guidelines in Healthcare Facilities (which benefits patients, visitors, and members of the healthcare organization’s workforce).
Adopting voluntary healthcare standards often requires just a little more effort than complying with regulatory standards. For example, if an organization already complies with HIPAA, OSHA, and CMS’ conditions for participation in Medicare, there are minimal training, administrative, and documentation requirements to complete before an organization can apply for ISO 7101:2023 certification to demonstrate it has an effective healthcare quality management system.
The benefit of adopting a voluntary healthcare standard in this example is that organizations that achieve ISO 7101:2023 certification must continue to monitor clinical and non-clinical performance to continually improve their processes and results. Healthcare organizations that comply with this voluntary requirement will simultaneously be complying with matching HIPAA, OSHA, and CMS mandatory requirements – mitigating the risk of non-compliance across the matching requirements.
In addition, achieving an accreditation or certification of voluntary compliance not only demonstrates a good faith effort to comply with mandatory healthcare regulations – which can mitigate a penalty for non-compliance in certain circumstances – but it can also enhance an organization’s brand reputation and can give it a competitive advantage. This may be extremely valuable for a business associate being evaluated by a covered entity for a lucrative contract.
How Software can Support Healthcare Compliance Efforts
It is not difficult to see how the number of mandatory regulations and voluntary standards a healthcare organization may have to comply with – and the volume of changes that might occur as a result – can increase the potential for compliance failures. Nor is it difficult to see how a well-resourced compliance team using a mature risk management strategy might still overlook a critical implementation specification due to the number of similar requirements.
To mitigate the risk of being swamped by regulations and standards, or overlooking a critical implementation specification, healthcare organizations should evaluate customizable healthcare regulatory compliance software. Software solutions for healthcare regulatory compliance are getting more sophisticated, and can be used to determine when one standard conflicts with or duplicates another, or when a state regulation partly exempts an organization from compliance.
When configured to meet an organization’s requirements, healthcare regulatory compliance software can produce guided risk assessments for each business unit and, once the risk assessments are concluded, a corrective action plan if compliance gaps are identified. The software can also be used to assess what changes to policies, procedures, and business practices may be required due to changes to or new regulatory standards. Organizations interested in taking advantage of healthcare regulatory compliance software are advised to seek professional compliance advice.
The post What is Healthcare Regulatory Compliance? appeared first on HIPAA Journal.