Healthcare Compliance: All You Need To Know

As a multi-trillion-dollar industry focused on patient care and safety, it should come as no surprise that healthcare is highly regulated, and penalties for noncompliance are steep. There are regulations for just about everything: protecting confidential health information, following safety protocols when dispensing medications or performing procedures, documenting care accurately and completely, coding and billing accurately, and much, much more.


What is healthcare compliance?

Healthcare compliance refers to the process of abiding by all legal, professional, and ethical compliance standards in healthcare. Basically, it’s about following the rules, and in healthcare, there are plenty of them. These rules are highly complex, and they change frequently, often requiring operational and workflow changes, ongoing education, internal audits, health IT compliance updates, and more.

An important point to remember: Healthcare compliance pertains to all healthcare organizations, both large and small. It's a part of the holistic approach called healthcare governance, risk management, and compliance—or GRC—crucial to creating a safe, high-performing, high-reliability environment.

Healthcare governance, risk management, and compliance (GRC)

GRC spans your entire organization, and helps:

  • ensure safety and compliance
  • measure quality and performance
  • optimize your workforce
  • credential and enroll providers
  • and track facility access and security
    See symplr's GRC solutions

Who regulates healthcare compliance?

A variety of federal and state agencies govern health compliance. For example, the Drug Enforcement Administration (DEA) and the Food and Drug Administration (FDA) both regulate the creation and distribution of medication. They ensure the safety and efficacy of medications, biological products, and medical devices. The FDA also provides the public with accurate, science-based information.

The Department of Health and Human Services (HHS) and the Office of the Inspector General (OIG) protect against fraud by auditing healthcare organizations to help reduce waste, fraud, and abuse of healthcare dollars. The OIG publishes an annual Work Plan to announce specific topics that it intends to target that year, giving organizations a “heads up” on the types of audits they could face. Both the OIG and HHS also provide wide-ranging educational materials so healthcare organizations can strive to proactively comply with healthcare rules and regulations. 

Other important entities are focused on compliance as well. For example, The Joint Commission (TJC) accredits and certifies organizations, mostly hospitals and healthcare systems, that meet certain compliance standards in healthcare for patient care quality and safety. The National Association for Healthcare Quality (NAHQ) fulfills a role similar to TJC’s, but primarily for health plans and credentialing verification organizations. The Centers for Medicare & Medicaid Services (CMS) and other payers have also implemented various quality initiatives to promote high-quality health care through accountability and public disclosure. These measures play an important role in quality improvement, pay-for-performance models, and public reporting. In addition, the Agency for Healthcare Research and Quality (AHRQ) provides a host of resources to help healthcare organizations provide safe, high-quality care.

What are examples of healthcare regulations?

There are many regulations with which healthcare organizations must comply—and too many to list here. However, some of the most significant statutes follow:

  • The Social Security Act governs funding and requirements for Medicare, Medicaid, the Children's Health Insurance Program, and more.
  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996 that protects patient privacy and requires organizations to keep patients’ medical records secure. 
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act enacted in 2009 expands HIPAA, and provides certain health IT compliance standards for the adoption of electronic health records (EHR).
  • The False Claims Act makes it illegal for providers to file a false claim to a federal payer. It includes a qui tam provision that allows people who are not affiliated with the government (otherwise known as relators or whistleblowers) to sue the wrongdoer on behalf of the U.S. government.
  • The Anti-Kickback Statute prohibits organizations and providers from receiving a financial benefit for patient referrals if the federal government may be charged for all or part of the cost of these services. The goal? To prevent the influence of financial gain on medical treatment decisions. 
  • Likewise, the Physician Self-Referral Law (Stark Law) prohibits physicians from referring patients with Medicare or Medicaid to a provider or entity with whom the physician or a member of the physician’s immediate family has a financial relationship.
  • More recently, the Patient Protection and Affordable Care Act implemented new requirements for insurance, Medicaid, and more. 
  • In addition, the Centers for Medicare & Medicaid Services (CMS) passed the Interoperability and Patient Access Final Rule that provides patients with greater access and control of their electronic health information. 
  • Another recent regulation is CMS’ Hospital Price Transparency Final Rule that requires hospitals to disclose prices negotiated with health plans.

Why is healthcare compliance more important than ever?

Healthcare compliance is critical because the stakes are high. In some scenarios, the consequences are life or death. Seemingly small mistakes can have dire consequences on patient outcomes, care coordination, and patient safety. Organization-wide healthcare compliance ensures that everyone follows proper procedures and understands expectations—all with the goal of providing high-quality and safe patient care.

symplr Compliance Value Assessment

How can healthcare organizations ensure compliance?

On a macro level, the first step is to create a culture of health compliance. This means taking steps to ensure that everyone in the organization understands how their actions contribute to overall healthcare compliance—and they strive to abide by all rules and regulations every day. 

When mistakes occur, organizations with a culture of healthcare compliance seek to understand the root cause and put measures in place to prevent those mistakes from happening again.

Creating a culture of healthcare compliance doesn’t happen overnight. It takes time, training, and a series of trial and error steps to get it right. And getting it right requires an ongoing effort with the help of a compliance officer and a department dedicated to healthcare compliance. It also requires executive leadership buy-in. Leaders set the tone and encourage ethical behavior, from the top down.

What's in a compliance plan?

To become healthcare compliant, organizations need a healthcare compliance plan, including written policies, procedures, and standards of conduct. The OIG suggests hospitals focus on risk areas (e.g., billing for services not rendered, upcoding, unbundling, and duplicate billing), claim development and submission process, medical necessity, anti-kickback and self-referral concerns, bad debts, credit balances, record retention, and more.

A healthcare compliance plan should also take into account areas of vulnerability based on internal audits as well as results of Comprehensive Error Rate Testing (CERT). The CERT program calculates a national improper payment rate and contractor- and service-specific improper payment rate based on a statistically valid random sample of Medicare fee-for-service claims. Organizations can use this information to identify potentially high-risk areas and then conduct a risk analysis to ensure healthcare compliance.

In addition, the Department of Justice provides an in-depth resource on how to create an effective healthcare compliance plan. Although this document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, an organization’s healthcare compliance program was effective at the time of the offense, organizations can also use it to proactively improve their compliance plans.

Organizations must also ensure ongoing auditing and monitoring. Healthcare compliance software can greatly assist, because it can proactively assess and communicate operational and financial risk enterprise-wide, in real time. Regardless of whether an organization uses software, though, the key is to perform frequent audits. An organization won’t know whether it’s compliant unless it probes into actual workflows to see whether employees are following written policies and procedures. Organizations may conduct annual audits on certain topics, or they may choose to audit more frequently (e.g., quarterly or monthly) to keep closer tabs on performance. When an auditor identifies that a person or department is noncompliant, they should provide education on how to remedy the problem.

Enforcing compliance standards in healthcare through well-publicized disciplinary guidelines is equally as important. If someone continually doesn’t follow the rules, for example, they might face temporary suspension or even termination. That goes for everyone within the organization from the top down. No one should be exempt from disciplinary action for persistent noncompliant behavior.

What happens if healthcare organizations are noncompliant?

If organizations violate laws, they could face lawsuits, fines, or recoupments. They could even lose their ability to contract with payers. Individual providers could also lose their medical licenses. There’s also a reputational aspect of noncompliance. When patients discover that an organization isn’t safe or that it doesn’t follow the rules, they may be less likely to seek care there. That has a negative financial impact on the organization, which can take years to repair.

The symplr approach

Managing healthcare compliance is an around-the-clock endeavor, and organizations need a scalable solution to address ever-changing regulations, improve healthcare quality and safety, mitigate risk, and keep patients safe. symplr’s web-based solutions provide a real-time glimpse into compliance so healthcare leaders can make timely decisions. For example, symplr’s healthcare compliance software makes it easy to assess risk status, manage investigations and incident reporting, conduct surveys and audits, and more—all during a time when organizations are doing more with the less. Its digital event management system captures near incidents, provides analytics, and manages workflows—all in real time to enhance patient safety. Finally, its personalized healthcare quality software helps organizations maintain strict control over quality measures that affect reimbursement.

As healthcare organizations forge ahead into an uncertain future, healthcare compliance should be at the forefront of every decision they make—regardless of whether it pertains to information exchange and access, health information technology implementation, education and training, and more. A compliant organization is an empowered one. It’s a confident one. It’s a safe one. And it’s an organization that patients turn—and return—to for their healthcare needs.

Learn more about symplr Compliance.

See symplr's GRC solutions


Request a Demo