Cybersecurity challenges, data breach litigation costs, regulatory overload, and industry mergers are top issues for 2024
Four core issues will shape the 2024 outlook for hospitals and other covered entities, just as they have plagued the healthcare industry in recent years. Cybersecurity challenges, many stemming from poor HIPAA compliance, distract hospital administrators and eat up resources. The healthcare industry leads all others in terms of data breaches and the related costs of litigation and settlements, not to mention penalties imposed by the OCR. The effects of regulatory overload are ailing physicians, administrators, and healthcare in general, and physicians are also profoundly concerned about an industry increasingly driven by profit and related mergers and acquisitions.
Cybersecurity Challenges Are Ongoing
Hospitals and other healthcare providers, as well as business associates and health plans, continue to be vulnerable to a wide range of cybercrime aimed at stealing patient data and disrupting operations. Healthcare data remains in high demand on the dark web and commands a hefty price. The four most serious sources of cybercrime, according to recent surveys, are as follows:
- Ransomware attacks on hospitals, many of which disrupt operations and patient care significantly;
- The hacking of healthcare databases, networks, and systems to steal protected health information and personally identifiable information;
- The use of internet-connected medical devices with outdated software makes them especially vulnerable to hacking and can impact diagnostics and patient care;
- Reliance on legacy systems and equipment that are no longer supported and therefore highly vulnerable to compromise.
Budget constraints are an underlying theme that contributes to these and other cybersecurity challenges across the healthcare industry. In addition, the proper implementation of new technologies, and ongoing shortages in skilled staffing, continue to be substantial impediments to optimal healthcare delivery.
Data Breaches Spur Lawsuits and Penalties
Many of the larger cybersecurity incidents suffered by hospitals and other covered entities result in class action lawsuits pressed on behalf of affected patients.
-
On May 12, 2023, Great Expressions Dental Centers in Michigan reported a network hacking incident and began mailing notifications to 528 affected individuals. A week later, a large personal injury law firm filed a class action lawsuit.
-
In Georgia, CRH Healthcare agreed to pay $1.6 million to settle a lawsuit claiming its urgent care clinics had charged for non-existent doctor visits during the pandemic. The lawsuit was filed under the federal False Claims Act by the U.S. government and the state of Georgia.
-
In July 2023, a class action lawsuit was filed against HCA Healthcare after a massive data breach potentially affecting 11 million patients. In addition, a separate antitrust lawsuit accuses HCA of cutting staff and monopolistic conduct that left “Western North Carolinians with increasingly bad healthcare at an ever-growing price.”
-
In late 2023, UnitedHealthcare was sued following allegations that it used an AI algorithm to deny claims submitted to Medicare Advantage for post-acute care services. The lawsuit was filed by the families of two deceased Medicare Advantage members who allege that UnitedHealthcare illegally deployed the naviHealth platform to deny medically necessary care to seniors. The lawsuit asserts that AI technology has a 90% error rate.
Other lawsuits and settlements have been recorded throughout the healthcare industry for various reasons, with the following examples reported by Beckers Hospital Review in late 2023.
-
A jury awarded an additional $50 million to a family who sued a Johns Hopkins Children's Hospital in a case made famous by a Netflix documentary, bringing total damages to $261 million.
-
A group of health systems across the U.S. is attempting to block the Health Resources and Services Administration from reinstating a registration policy for offsite clinics of 340B-eligible hospitals, which they claim will cost billions of dollars.
-
A nurse has sued BJC HealthCare, of St. Louis, claiming they delayed her start date and then withdrew a job offer because she is deaf.
-
Rady Children's Hospital, based in San Diego, has been sued for allegedly recording a patient and her family, secretly and without permission, to prove the child was suffering from abuse.
In addition, the HHS Office for Civil Rights routinely imposes financial penalties and corrective action plans on hospitals and other covered entities for violations of the HIPAA Security and Privacy Rules and Patient Right of Access requirements. Violations often lead to data breaches and other cybersecurity incidents.
The Debilitating Effects of Regulatory Overload
Members of the healthcare industry face the daunting task of complying with an increasing burden of federal and state regulations, all while trying to provide competent healthcare to patients. Although federal regulation is generally intended to ensure that patients receive safe, high-quality care, regulatory overload seems to be compromising this objective in addition to increasing the cost of providing care.
Several research organizations report on the regulatory burden facing the healthcare industry, and a study by the American Hospital Association several years ago noted some of the effects of federal regulations within the industry. Among those findings:
-
Four specific requirements are cited as “very or extremely burdensome” by healthcare executives surveyed for the 2023 MGMA report. Prior Authorization topped the list among more than 89%, followed by audits and appeals (69%), the Medicare Quality Payment Program (68%), and surprise billing and good faith estimate requirements (63%).
-
Two comments from 2023 survey respondents were especially resonant. “We have 20 physicians in our organization. I have six full-time Prior Authorization staff and it’s difficult to get ahead and obtain the PAs two weeks out.” “It delays patients’ access to care. Some payers take over two weeks to respond, some do not respond at all, and providers must waste time chasing them down for an answer.” In fact, 92% reported that they have had to “hire or redistribute staff to work on Prior Authorizations due to an increase in requests.”
-
Health systems, hospitals, and post-acute care providers must comply with 629 discrete regulatory requirements, according to the AHA report, and spend almost $39 billion annually performing compliance-related administrative activities. The average community hospital of 161 beds spends over $7.5 million annually on administrative compliance work. Across the U.S., the regulatory burden equates to an added cost of $1,200 every time a patient is admitted to a hospital.
-
The move toward value-based payments (in Medicare/Medicaid) has added to the regulatory burden without creating positive change, according to the MGMA survey. Almost three-quarters of practice leaders (72%) state that it has not improved the quality of their patient care. Asked if the move to pay physicians based on value has been successful thus far, 62% said it has not.
-
The average hospital dedicates 59 full-time equivalents (FTEs) to regulatory compliance, more than 25% of the doctors and nurses. This significantly reduces the amount of time available for healthcare delivery. As one executive commented, “I have more staff dedicated to administrative duties than I do to patient care.”
-
Meaningful Use compliance has driven healthcare providers to invest in IT systems, but the challenges of excessive costs and interoperability issues remain. The average hospital spends nearly $760,000 annually to meet MU administrative requirements, according to the AHA.
Physicians Concerned About Industry Mergers and Profit Focus
More than 50 hospital mergers or acquisitions were announced in the first nine months of 2023, matching the total number of hospital M&A deals in all of 2022, according to an article in Chief Healthcare Executive. The following were among those 50 consolidations:
- Kaiser Permanente announced plans to acquire Geisinger and form a new healthcare organization to be known as Risant Health. Kaiser operates 39 hospitals, hundreds of medical clinics, and a health plan with more than 12 million members. Geisinger will contribute its 500,000 health plan members to the pot along with its 10 hospitals.
- Two Missouri-based hospital systems will form a combined organization of 28 hospitals with $10 billion in revenue. When the merger is completed, Saint Luke’s Health System will fold into BJC Healthcare.
- Novant Health, based in North Carolina, is on a regional buying spree, acquiring two in-state hospitals from Community Health Services, and a small rural hospital as well. Novant also plans to purchase three hospitals in South Carolina from Tenet Healthcare for $2.4 billion.
- In Florida, Tampa General Hospital acquired three hospitals and other care locations from Community Health Systems, renaming the acquired group TGH North. University of Florida Health acquired Flagler Health, a 335-bed hospital in St. Augustine along with other care sites, to be renamed UF Health Flagler Hospital.
These are just four of the 50 mergers and acquisitions in 2023 that have physicians and residents concerned about motive, focus, and quality of care. Each year, the Physicians Foundation assesses physician opinions on various healthcare topics; the following are some of its findings related to M&A activity.
- At least 30% of physicians and residents have experienced a merger with or acquisition of another practice or hospital during the past five years. Only one-fifth of them were involved in the decision-making process.
- Almost three-quarters of physicians (71%) and two-thirds of residents (66%) believe that their hospital or practice’s top priority is financial profit.
- Roughly two-thirds of physicians (67%) and residents (63%) believe that consolidation is impacting patient access to high-quality, cost-efficient care.
Summary
Four compelling issues will continue to impact the healthcare industry in 2024, as they have in recent years. They include ongoing cybersecurity challenges, in part due to poor compliance; litigation and penalty costs related to data breaches; the increasing regulatory burden and its impact on healthcare budgets and other resources; and the often profit-driven mergers and acquisitions that, in many cases, are creating multi-billion dollar industry giants and may affect the quality of care, at a minimum during the transition. Unfortunately, none of these concerns is new.
These and other timely topics will be explored at the Texas Hospital Association’s annual conference in Dallas February 14 to 16, 2024. 24By7Security is an Endorsed Partner of the THA and an Emerald Sponsor of the event. Our President and Founder, Sanjay Deo, will address conference attendees on issues related to healthcare cybersecurity and compliance.