Marty PuranikWhat will a business get back for protecting its staff from injuries? While asking this question may seem callous, it is strategic, because the answer is in favor of investing substantially in safety— injuries are expensive. To look at the most extreme example of a workplace injury that results in death, the Centers for Disease Control estimates the total hospital costs per fatal injury at $991,027. However, there are additional costs as well, with the National Safety Council placing the average total cost to society at $1.42 million

The Savings of Security Compliance

Like ensuring workplace safety, safeguarding confidential data such as electronic protected health information through security compliance and healthcare hosting is clearly a worthwhile investment, according to a recent study. The analysis, which reviewed 46 organizations from healthcare, finance, retail, and government, found that compliance with security standards would result in savings over time. Payment Card Industry Data Security Standard compliance was the greatest point of focus in the analysis; however, additional standards were also assessed, including those of the Federal Privacy Act, Sarbanes-Oxley, and HIPAA.

According to the study, the cost of compliance was $3.5 million, while the cost of problems arising from non-compliance was $9.4 million. 

Steps to Build Better Compliance ROI

Since compliance can lead to savings, it is worth considering how you can improve ROI and ensure more consistent compliance. Lynn Haaland, PepsiCo's global chief compliance and ethics officer, discussed this issue in a March 2018 article, suggesting steps forward. Below are some recommendations, combining her ideas with some others that are important to healthcare compliance:

Promote a compliance culture. Haaland noted that it can be particularly effective to transform organizational culture rather than simply coming up with rules. One way to do that in health care is by introducing real-life scenarios during HIPAA training so that people develop a more lived experience of what is involved in meeting compliance.

Pore over metrics. Measuring ROI is challenging, but accurate estimates can help tremendously. Organizations should work to get the best metrics to evaluate compliance programs in order to better determine their value. 

Build real programs. Programs can improve compliance as well. After all, the return on compliance is reliant on it functioning throughout your ecosystem. A compliance program could be powerful in health care, since having a strong vetting process to select business associates is so critical, as is ensuring that a strong business associate agreement is signed with each provider that handles the organization’s electronic protected health information (ePHI).

Prioritize security. Healthcare leaders should never forget the critical importance of the Security Rule within Title II of HIPAA, which contains the instructions and standards required to protect digital environments and ePHI.  

Focus on training. Because social engineering and other forms of human error are so common, training becomes essential to maintaining a compliant and secure environment.

Getting the Most Out of Compliance Investment

It is sometimes easier to argue for the ROI of offensive strategies (such as sales) rather than defensive maneuvers (such as security). However, clearly, the ROI is there in money saved, on average, by organizations that achieve compliance. Security is important, but organizations also should invest substantially in the people factor, both in strengthening their internal stance and in vetting HIPAA-compliant hosting providers and your other business associates.


Marty Puranik is CEO and president of Atlantic.Net, Orlando, Fla. 

Publication Date: Tuesday, February 05, 2019