Healthcare Information Security

HIPAA and Compliance News

HIPAA Compliance Gap Between Compliance Officers, Regulators

There is a large gap between the priorities of healthcare compliance officers and regulators when it comes to HIPAA compliance, a recent survey finds.

HIPAA compliance

Source: Thinkstock

By Fred Donovan

- There is a large gap between the priorities of healthcare compliance officers and regulators when it comes to HIPAA compliance, according to a survey of 388 healthcare organizations by SAI Global and Strategic Management Services.

Healthcare compliance pros said that compliance with the HIPAA Security and Privacy rules is their highest priority, while the regulators at the HHS Office of the Inspector General (OIG) and the Department of Justice (DOJ) are focused on corrupt arrangements with referral sources and false claims, which represent virtually all the major enforcement actions and penalties. 

To date, these issues have resulted in far greater liabilities to healthcare entities than privacy and security breaches. Yet, arrangement with referral sources was ranked fifth in priority and claims accuracy third among compliance professionals included in the survey.

The DOJ reported that 93 percent of its civil fraud cases involved violations of the anti-kickback statute and Stark laws, and the OIG reported that most of its corporate integrity agreements have as their foundation these same law, the 2018 Healthcare Compliance Benchmark Report found.

“The question has to be asked as to why, in the face the enforcement agencies' priorities, compliance officers are placing these high-risk areas in a lower priority,” said former HHS Inspector General and Strategic Management Services CEO Richard Kusserow. “The takeaway from the survey is that compliance officers should be prepared to better align their priorities and programs with those set out by the regulatory and enforcement agencies.”

Despite their focus on HIPAA, only 20 percent of compliance officers said they were highly confident they are prepared for a HIPAA compliance audit by the Office for Civil Rights (OCR). This compares with 30 percent who were highly confident in last year’s survey. On the plus side, 61 percent of respondents are moderately confident they are prepared for an OCR HIPAA audit, compared to 50 percent who were moderately confident last year.

Two-thirds of respondents said they have strong or full confidence in their controls for preventing data breaches involving protected health information (PHI).

Highly publicized healthcare data breaches and more visible OCR enforcement may be behind the respondents’ focus on HIPAA compliance.

“The high activity level of the OCR in investigating and taking action on security breaches of protected health information, along with their increased level of auditing providers, is reflected in the movement toward placing greater priority on addressing HIPAA compliance,” the report observed.

The survey also found healthcare compliance officers are increasingly responsible for internal auditing and some legal counsel in addition to HIPAA Privacy and Security rule compliance. But they are not getting additional resources to handle these increased responsibilities.   

Around half of respondents are not expecting any additions to their budget this year, while 10 percent are even looking at budget reductions. Nearly three-quarters of respondents said their compliance offices have five or fewer staff, with one-third having only one full- or part-time person.

“This suggests that many, if not most, compliance offices are being stretched thin to meet their obligations,” the report concluded.

In terms of compliance office operations, evidencing program effectiveness is a top priority for 2018. Compliance training is one of the top three priorities, as it has been for the last eight of the nine years of the survey. Improving compliance auditing ranked as the number two priority in 2018. Policy and investigative management were high priorities for around one-third of respondents.

Only 25 percent of respondents have their compliance programs independently measured for effectiveness, relying instead on self-assessments, checklist tools, and internally generated surveys. A full 40 percent have never had an independent compliance program evaluation, and 15 percent have never had an evaluation of their compliance program of any kind.

“The 2018 Healthcare Compliance Benchmark Survey gives us a better understanding of compliance program development in the healthcare sector and suggests that effectiveness is being measured in terms of output, rather than outcome,” said SAI Global CEO Peter Granat.

“It is abundantly clear that there is a need for healthcare organizations to remove barriers and increased responsibilities being laid on their compliance offices that distract from the development of effective risk controls.”


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...