The Consequences of Non-Compliance in Healthcare
The consequences of non-compliance in healthcare depend on the compliance obligations of the individual or entity, the nature of the non-compliant activity, the potential sanctions for the failure to comply with healthcare regulations, and how the sanctions are applied. The consequences of non-compliance in healthcare can also be influenced by the individual’s or entity’s past compliance history and their cooperation during a compliance investigation.
The term “non-compliance in healthcare” is an umbrella term for the failure to comply with any applicable healthcare regulation – “applicable” being italicized to highlight that different healthcare regulations can apply to different individuals or entities at different times depending on the nature of their operations, the location of the individual or entity, and the enforcement objectives of the regulatory body.
For example, it can be the case that two neighboring healthcare facilities provide the same medical services to the public, but because Clinic A does not conduct electronic healthcare transactions, it is not required to comply with HIPAA – until it provides a service for or on behalf of Clinic B as a business associate, at which point Clinic A is required to comply with some applicable HIPAA regulations.
Remaining with HIPAA, members of Clinic A’s and Clinic B’s workforces will also have different HIPAA compliance obligations because Clinic A – when operating as a business associate – will not have to comply with some Privacy Rule regulations. In addition, both Clinics will have different sanctions policies, and both Clinics will have their own procedures for applying sanctions to members of the workforce.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
In this scenario, it could be the case that the consequences of non-compliance in healthcare could be more severe for a healthcare professional in one Clinic than they are for a healthcare professional in the neighboring Clinic, even though both non-compliant events are identical in nature and impact, and both healthcare professionals have the same compliance history and show the same degree of cooperation during an investigation.
The Perception of the Consequences for Non-Compliance
There is a perception that the consequences of noncompliance in healthcare are substantial fines, exclusion from participation in Medicare and Medicaid, and jail sentences. These events happen less often than the perception suggests. In fact, despite 64,180 data breaches being notified to HHS’ Office for Civil Rights in 2021, the regulatory body investigated just 631 notifications and resolved just two data breaches with financial settlements that year.
With regards to exclusions from participation in Medicare and Medicaid, although around 3,300 entities currently appear on the HHS OIG Exclusions List, this number represents a small fraction of the 115,000 reports of fraud, waste, abuse, and mismanagement received by the OIG Hotline each year – notwithstanding that the OIG Hotline is not the only source of information for HHS’ Office of Inspector General and its Office of Investigations.
HHS OIG enforcement actions that result in jail sentences are becoming more common, but usually in connection with violations of the Stark Law or the False Claims Act rather than for violations of healthcare regulations. In 2023, HHS OIG enforcement actions resulted in approximately 120 individuals receiving jail sentences. However, in the twenty years since the publication of the HIPAA Enforcement Rule, fewer than twenty individuals have received jail sentences for violations of HIPAA.
The consequences of non-compliance in healthcare with other federal regulations can be inconsistent. For example, the FDA’s Office of Criminal Investigations appears to take every opportunity to “put bad actors behind bars”, whereas the Occupational Safety and Health Administration (OSHA) received more than 2,000 reports of healthcare safety violations in the year to September 2023, conducted 226 inspections, and collected just $1.8 million in fines.
The Real Consequences of Non-Compliance in Healthcare
The real consequences of non-compliance in healthcare are more often corrective action plans and Corporate Integrity Agreements. These consequences incur indirect costs for healthcare organizations inasmuch as they cause workforce and operational disruption, can involve the implementation of additional security measures, and often require the non-compliant entity to outsource compliance or retain an independent review organization.
However, those who suffer most from non-compliance in healthcare are patients. More than 37.5 million records were exposed in the 64,180 data breaches notified in 2021, and many of these records were – or will be – used to commit medical identity theft, fraud, and other scams. These consequences can affect individuals’ access to health care, ability to obtain finance, and – in some cases – employment prospects.
When these events happen, patients can believe their confidential information will not remain confidential and withhold information from healthcare providers. With less information to work with, the chance of a misdiagnosis or an inappropriate course of treatment increases, which can then result in worse patient outcomes. A lack of trust in a healthcare provider can also lead to lower rates of patient compliance with treatment plans and medications.
It can also be the case that the disruption caused by complying with corrective action plans and Corporate Integrity Agreements results in slower patient access to healthcare. In 2019, a team of researchers studied the effect of HIPAA violation remediation efforts on the quality of hospital care and concluded that the remediation efforts resulted in a deterioration in the timeliness of care and of patient outcomes.
Non-Compliance Comes at a Cost – But to Who?
The consequences of non-compliance in healthcare can be widespread. When patients withhold information or fail to adhere to treatment plans, the resulting deterioration in the quality of care increases provider costs and reduces income from programs such as the Hospital Readmissions Reduction Program. Worse patient outcomes can also have an impact on staff morale – resulting in healthcare professionals leaving the industry due to burnout.
Even when the reason for a corrective action plan or Corporate Integrity Agreement is not a data breach, the consequences of non-compliance in healthcare can still have an impact on patients – and, by association, providers and healthcare professionals – when the remediation efforts reduce the quality of care and extend the length of time it takes for patients to receive (for example) emergency care or lifesaving operations.
In conclusion, not only is it difficult to pin-point the consequences of non-compliance in healthcare because the many different variables that can influence what sanctions are applied, but it is also difficult to measure the impact of the consequences on patients, providers, and healthcare professionals – all of whom can incur personal, professional, and financial costs due to non-compliance in healthcare.
