The True Cost of Non-Compliance

With the constant emergence of new standards and regulations across all areas of health care, hospital and health system leaders are working hard to ensure that they have effective compliance programs in place. Compliance is an active process that entails staying abreast of regulations, maintaining relevant policies and procedures, implementing continuous training and professional development, and dealing with discipline and breaches when necessary. The process is arduous, but the consequences for noncompliance are exponentially worse.

According to a 2014 survey, about one-third of healthcare providers estimate their total annual budget for compliance to be $1 million to 5 million.a Thirty-eight percent state that their compliance budget has increased in the past year, and 52 percent state that it has stayed the same. The cost of compliance makes a compelling argument for investment in a strong program. Across industries, a compliance program costs about $222 per employee, versus the $820 per employee for non-compliance.b Two factors are responsible for the high costs in the latter case: poor patient outcomes and litigation.

Costs of Poor Patient Outcomes

A 2010 study examined the costs of Methicillin-resistant Staphylococcus aureus (MRSA) infections among patients who acquired the infection as a result of a nurse’s lack of compliance with a hand hygiene policy.c The study found that a 200-bed hospital incurs $1,779,283 annually in MRSA-infection-related expenses, directly attributable to hand hygiene noncompliance. A 1 percent increase in hand hygiene compliance resulted in annual savings of $39,650 for the hospital.

Costs of Litigation

In 2014, New York-Presbyterian Hospital and Columbia University paid a combined $4.8 million to the Office of Civil Rights (OCR) to settle a 2010 HIPAA violation. The breach occurred when a physician tried to deactivate a personal computer that was connected to the hospitals’ shared network. The protected health information (PHI) of 6,800 patients, including vital signs, medications, and lab test results, was compromised. The OCR’s investigation found that neither hospital had conducted an adequate risk assessment or documented a risk management plan for their IT systems that access PHI. Neither did NewYork-Presbyterian Hospital have appropriate policies and procedures in place for authorizing access to its database. The hospitals paid the settlement, and both agreed to a corrective action plan.

In addition to the financial costs of noncompliance, there are intangible costs as well. A lack of compliance can lead to a loss of accreditation, resulting in a detrimental impact on the hospital’s reputation. If a provider has had a breach of PHI of more than 500 residents of a state, media outlets must be notified, further damaging a hospital’s reputation and potentially bringing about a loss of trust among patients, staff, and the wider community. Recent research found that 65 percent of patients would consider changing providers after a HIPAA data breach.d

A well-organized approach to managing compliance is the most critical component to mitigating risk exposure. Over the past five years, both the industry and most leading analysts have deemed effective compliance programs and strategies such as policy management to be the nucleus of a sound governance, risk, and compliance strategy.

Implementing an electronic, cloud-based policy management program is one proactive method to invest in compliance. Such a system can aid a hospital each step of the way, from writing policies and procedures that reflect current standards and regulations, to training and disciplining employees, and managing breaches. There are, unfortunately, no shortcuts to executing an effective compliance program. It requires continuous monitoring, evaluation, and improvement. But in today’s healthcare environment, an investment in compliance pays off in spades.

Saud Juman is the President and CEO of PolicyMedical in Richmond Hill, Ontario, Canada.