Legal Challenges and the Benefit of a Comprehensive Compliance Program

The list of compliance and legal challenges facing providers, hospitals and healthcare systems over the next year is long:

  • Physician arrangements and fair market value;
  • Mergers and acquisitions;
  • Quality metrics and risk sharing;
  • Fraud, waste, and abuse;
  • Coding and billing transactions;
  • Reimbursement;
  • Medical staff issues and burnout;
  • Labor and employment issues;
  • HIPAA and HITECH; and
  • Technology and integrated medical devices.

A list like this can seem daunting. However, a comprehensive compliance program with appropriate resources can help avoid disastrous results related to healthcare compliance and legal challenges.

Labor and Employment Law

The Atlantic reported in January 2018, “Health Care Just Became the U.S.’s Largest Employer In the American labor market.”  The growth of the healthcare sector brings increased labor and employment challenges.  Although the terms are often used synonymously, labor law focuses on groups of workers (think unions and collective bargaining) while employment law focuses on individual workers, (think discrimination of an individual in a protected class).

A comprehensive compliance program will decrease labor and employment law challenges, by ensuring human resource policies and procedures comply with federal and state laws.  Moreover, personnel file audits will demonstrate compliance with those laws.

Transactional Law

Mergers, acquisitions, partnerships, joint ventures and U.S. antitrust law

The Agency for Healthcare Research and Quality (AHRQ) reported in its 2018 National Healthcare Quality & Disparities Report that almost 70% of U.S. hospitals and 43% of primary care physicians are part of consolidated health care systems. Consolidations require an astute compliance and legal team to ensure compliance with antitrust law. These transactions continue to draw scrutiny from the Federal Trade Commission due to monopoly concerns.

The challenge for healthcare organizations is even greater when business crosses state lines. The organization must then comply with multiple state laws simultaneously.  As part of a comprehensive compliance program, a compliance professional should work closely with in-house or outside counsel to ensure the business transactions and consolidations include a compliance due diligence perspective, for example reports to the board of directors.

Security Law


Compliance is mandatory; failure to comply is an opportunity to ruin an organization both financially and reputationally.  Ransomware attacks on healthcare providers through their computers and medical devices are on the rise. While most IT departments focus on HIPAA security for computers, few address security issues with interconnected medical devices.

A comprehensive compliance program will include recommendations to address the management of cybersecurity for medical devices like those outlined by the U.S. Food and Drug Administration (FDA).

Practice Tips

  1. Use of reports to support legal defense of employment or labor law violations, if needed.
  2. Use of notification and management system to prevent legal challenges by providing up-to-date guidance to support compliance activities.
  3. Conduct an evaluation of medical devices in accordance with the FDA FAQ. Disable the voice recognition feature of smart devices while conducting confidential discussions in a room with a smart TV or speaker.

A system such as youCompli is a strong addition to a comprehensive compliance program, providing up to date notifications of regulatory change, as well as full insight and audit of the compliance process.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.

Cybersecurity: The Nightmare That Keeps Me Up At Night


You are preparing for board meeting, but you can’t get into your reporting application.  You log off the computer and then log back in – no good.  You call the helpdesk and hear what you never want to: “The application is offline due to a potential cyber attack.”

Keeping organization data safe from hackers is a real concern for compliance professionals.  When asked what keeps them up at night, most would say it is the fear of finding one of the IT systems or applications was hacked. The nightmare may be recurring for compliance professionals who work in health care where personal, protected health information (PHI) data is stored in electronic health record applications.

To optimize cyber protection and minimize cyber events, it is recommended that compliance departments partner with their organization’s information technology (IT) and risk management departments.  A good place to start collaborating is to write and implement an organization-wide cybersecurity plan (CSP) based on each discipline’s input, this way input is included from each discipline leading to a more robust plan

As required under HIPAA and HITECH, Compliance and IT professionals generally focus on how to prevent both privacy and security breaches respectively, so the CSP should include prevention steps from both of those aspects.  While risk management includes prevention, risk also focuses on loss mitigation and minimizing impact to the organization’s reputation after a cyber event has occurred.

And the CSP must include ongoing staff education.  While there are many commercially available tools or applications which provide cyber protection against email hackers, phishers, malware, spyware, and viruses, these tools are only as good as the end users working on the organization’s computers.  Of course, the CSP should include appropriate fire walls and penetration testing by an outside vendor to assess the organizations privacy and security vulnerabilities; however, the best prevention is education for staff so they can identify emails which may contain malware, spyware or viruses.

Ongoing education should occur with staff at all levels of the organization.  Education should include internal IT generated phishing emails with remediation for those who “take the bait” and click on the bad links.  It should also include cross-departmental table-top exercises where cybersecurity related scenarios are presented and discussed to ensure familiarity with the CSP and to identify and improve upon weaknesses in the plan, staff education, or the applications used.


  1. Schedule a one-hour call with your insurance broker to review your cyber liability insurance policy and reporting requirements in the event of a privacy or security breach.
  2. Ensure you are current with not only federal, but state security and privacy laws.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.