The Long Road to Compliance

For Imaging Leaders, Keeping Up With Evolving Policies and Safety Standards Gets Harder By the Day 

New developments in medical imaging aren’t the only items that bear tracking by radiology practices and hospitals. Imaging leaders also must remain informed about Centers for Medicare and Medicaid Services (CMS) policies, safety standards, the U.S. Preventive Services Task Force guidelines, ICD-10 codes, Joint Commission updates, the Health Information Privacy and Accountability Act (HIPAA), kickback laws, repeated attempts to “repeal and replace” the Affordable Care Act and much more. Staying up to date is a big job that keeps getting bigger, and the time invested in doing it is significant—but the risks of ignorance and non-compliance outweigh the aggravation.

“In today’s environment, regulators, payors, whistleblowers—seemingly everyone—is looking to collect or recoup at every opportunity,” says Adrienne Dresevic, Esq., of the Health Law Partners, P.C. (The HLP) in Farmington Hills, Mich. Moreover, she adds, whether lack of compliance with regulations, standards and the like is deliberate or unintentional, ignorance “is not an excuse” and the negative impact on practices (and hospitals, for that matter) is often the same.

The price of ignorance—i.e., fines and other consequences associated with non-compliance—can be steep. For example:

HIPAA violations. Clinton Mikel, Esq., a partner at The HLP, says smaller healthcare providers have faced expenditures that exceed $100,000 for simple HIPAA violations. In instances where a healthcare entity is unaware that its practices have led to a HIPAA violation, the minimum civil penalty stands at $100 per violation, with an annual maximum of $25,000 for repeat violations; the maximum civil penalty is $50,000 per violation with an annual maximum of $1.5 million.

“When [imaging providers] think about HIPAA and not knowing about any changes—which do occur—they have to figure not just the initial fines, but the whole financial picture, including the costs associated with curing breaches and protecting the identity of the individuals whose data was breached,” says attorney Paul W. Pitts, a partner in the San Francisco, Calif., office of ReedSmith, LLP.

According to the 2017 “Cost of a Data Breach” study conducted by the Ponemon Institute, the average healthcare data breach cost per record is $3801. This is the highest average of any industry, and No. 2 on that list is the financial industry ($336 per record). The public sector, meanwhile, has the lowest average cost of any industry featured in the study ($110 per record). 

Stark Law violations. The Stark Law prohibits physician self-referral, wherein a physician refers a patient to a medical facility in which he or she has a financial interest, be it ownership or a structured compensation arrangement. This includes referrals for designated health services, among them MRI, CT, and ultrasound. The civil fine for each instance of self-dealing is $15,000.

“The Stark Law can be very tricky,” Dresevic says. “For example, we’ve seen a lot of instances where the referring physician sends a patient to his or her spouse, or an interventional or diagnostic radiologist qualifies as a referring physician, and it triggers Stark question,” Dresevic says. “The fine alone is reason to look at it really carefully.”

Medicare claim errors. Attorneys at both The HLP and Reed Smith have seen issues arise out of failure to note changes in Medicare coding and billing requirements time and time again. These types of innocent mistakes or oversights—and similar ones with regard to Medicaid—have led to exclusion or near-exclusion from the programs, note Mikel and Pitts.

There is also damage to one’s reputation to consider. Once word gets out that an imaging practice or hospital has had a HIPAA violation, has been excluded from participation in any federal health care program or has in any other way run afoul of regulations or policies, strong potential exists for its reputation—and its patient load—to suffer, Pitts says. He adds that this is the case regardless of the reason for failure to comply with a given regulation, policy or standard, explaining that the media’s talent for informing the public of even small infractions intensifies the likelihood of reputational damage. Statistics from the Ponemon Institute bear this out: the report pegs healthcare entities’ average “churn” (patient loss) rate at 5.5 percent, compared with a far lower 1.9 percent for retail stores.

[[{"fid":"23698","view_mode":"media_original","type":"media","attributes":{"height":828,"width":600,"alt":" - key_reading","class":"media-element file-media-original"}}]]

On the flip side, close attention to regulatory and other developments yields positive benefits beyond financial savings and upholding of imaging providers’ reputation. Michael Janis, MBA, RT, director of ancillary services at HSHS St. Anthony’s Memorial Hospital in Effingham, Ill., cites his facility’s experience surrounding the Protecting Access to Medicare Act of 2014 (HR 4302). The Act calls for reduced Medicare reimbursements for certain diagnostic scans performed on equipment that does not meet the XR-29 CT standard. Because the hospital became aware of the standard long before the act went into effect last year, it had sufficient time to work with its CT vendor to assess XR-29 compliance and initiate a necessary upgrade free of charge. “If we had been in the dark about XR-29 compliance until much later, I don’t think we would have been able to make the improvement and avoid lower reimbursement,” Janis says.

Fighting the Good Fight 

The challenges associated with remaining fully cognizant of regulatory changes and preparing to take the steps needed for compliance are as significant as the consequences of not doing so. It is no surprise that cost tops the list of such challenges. Healthcare researcher and author Paul Keckley, PhD, principal at the The Keckley Group in Washington, D.C., estimates that for some hospitals, mandatory safety and compliance reporting alone runs $500,000 to $1 million per year and can “go much higher,” depending on a variety of factors. “It’s difficult to put a precise price tag on compliance, but when you consider the changes that have to be made and the manpower devoted to it, you’re talking about a significant sum even for a smaller practice,” Keckley says.

Time is another obstacle. At HSHS St. Anthony’s, staff spend a collective two to four hours per day on compliance-related issues, whether tracking the latest developments or ensuring that the necessary compliance is occurring. For Watts Health, a community health center in Los Angeles, time devoted to radiology-related compliance, including checking for and learning about new or revised regulations and policies as well as performing compliance-related tasks, amounts to 10 to 15 hours per week, according to James Johnson, BSRS, RT (R), radiology director for Watts Healthcare Corp. 

Both HSHS St. Anthony’s and Watts Health have taken deliberate steps to remain aware of various regulations and policies. The former is part of the Health Sisters Hospital System, and radiology directors at all 15 hospitals within the system meet to discuss issues pertaining to compliance and determine how to best handle any new developments. Additionally, staff convene in “safety huddles” four times each day to ensure that safety standards are being met and the proper number of staff are in place based on patient census, acuity and the number of scheduled procedures. These and other compliance-related elements are tracked and managed using Kamishibai boards, visual representations of tasks and requirements at hand. Personnel from the hospitals also remain active participants in the AHRA, which Janis considers an “excellent resource” of information on important developments. 

At Watts Health, individual committees and subcommittees have been formed to focus on individual issues pertaining to regulations and policies that pertain to the facility. Monthly meetings of quality management personnel, managers, and department directors are held so that participants can share what they have learned about their areas of informational responsibility.

“It’s a matter of being very organized, remaining that way and dividing the responsibilities,” Johnson says. “No matter the size of a facility or practice, how it’s regulated or by which bodies, the key is breaking things into pieces. No one can, or should, be held accountable for the entire thing.”

[[{"fid":"23699","view_mode":"media_original","type":"media","attributes":{"height":351,"width":615,"alt":" - paying_for_mistakes","class":"media-element file-media-original"}}]]

Are More Headaches on the Way? 

While efforts to manage the glut of information that surrounds compliance appear to be effective, the situation is, for the most part, expected to worsen rather than to improve. “Things were much simpler 10 or 15 years ago, but for the past few years, it’s been rule upon rule and change upon change,” Keckley says.

He points to the example of safety reporting regulations, noting that CMS undertook an initiative aimed at simplifying the reporting process two years ago, but “things are not as clear in the current administration as under the previous one.” Such confusion may be exacerbated when a replacement for HHS Secretary Tom Price, who announced his resignation in September, is finalized. 

Johnson has a similar point of view. “The current administration can’t even agree to disagree,” he says. “What else could arise out of that, except more of the same?”
Imaging providers will clearly need to anticipate further change and continue to delegate information-sharing and assessment responsibilities to foster compliance. “The more we do that,” Janis says, “the more positive outcomes we’ll see.” 


1. 2017 Ponemon Cost of Data Breach Study. IBM 2017 Cost of Data Breach Study - United States. Published July 28, 2017. Accessed October 9, 2017.