As medical groups broaden their adoption of health IT (HIT) solutions to improve workflows and patient care, they also must contend with the significant costs of ensuring compliance with federal and state regulations.
Just seven years ago, the Centers for Medicare & Medicare Services (CMS) paid $35.8043 per total RVU, yet multispecialty groups with primary and specialty care reported spending $0.53 on IT employee compensation and $1.29 on IT equipment, maintenance and software per total RVU. In terms of operating margin, more than 5% of what Medicare pays to a practice is consumed by IT costs.
Today, that same conversion factor is now 5.4% lower — at $33.8872 — while combined median per-total-RVU IT support staff and IT operating costs sit at $0.57 and $1.47, respectively, per the 2022 MGMA DataDive Cost and Revenue survey report.
In short: IT expenses now represent a full 6% of each Medicare reimbursement dollar going to practices.
A March 14, 2023, MGMA Stat poll finds that medical group leaders are seeing little change in this upward trend of expenses: Nearly 3 out of 4 (74%) responded that their HIT compliance expenses rose in the past year, while 25% noted these expenses stayed the same, and only 2% saw a decline in their expenses. The poll had 384 applicable responses, and the figures do not equal 100% due to rounding.
Among medical group leaders reporting an increase in these expenses over the past year, some of the most common areas of spending were:
- New or improved cybersecurity systems, such as firewall updates or security features on individual workstations, including multifactor authentication
- Server upgrades
- Increased premiums on cyberinsurance policies
- New software systems for catching malware or viruses
- Surging costs for remote user VPNs to cover hybrid and remote workers
- Additional full-time staff on in-house IT teams.
The answer to where IT expenses are headed later in 2023 might be answered by the degree to which healthcare provider organizations continue to face lingering labor market issues and staffing shortages, which might prompt more spending on IT solutions to automate processes previously managed manually by workers.
Recent MGMA DataDive Cost and Revenue surveys found that both physician-owned and hospital-owned multispecialty groups tightened their IT spending in 2020 during the height of the COVID-19 pandemic, but hospital-owned groups showed a near-return to their pre-pandemic level of IT operating expenses in 2021 as they began their recovery. A similar bounce back among physician-owned groups might be seen in this year’s survey benchmarks.
IT expenses in the EHR era
Looking back more than a decade, the expenses of complying with evolving regulations around HIT were not insignificant:
- A 2011 study published in Health Affairs put the price tag for EHR implementation for a five-physician practice around $162,000, followed by $85,000 in maintenance costs in the first year alone.
- In 2013, the cost for implementation of the HIPAA Final Rule was estimated to range from $114 million to almost $226 million.
- By 2015, MGMA DataDive Cost and Revenue survey results found that annual HIT costs rose more than 40% since 2009 to $32,500 per physician in physician-owned multispecialty groups, which includes IT equipment, staff, maintenance and related costs.
Tracking rising HIT expenses in the era of inflation
These findings echo a July 2022 MGMA Stat poll that found IT-related expenses as the second most-common response from medical group leaders about which non-labor expenses had increased the most in the previous year, ranking only behind drug supply costs as the top rising expense category.
At the time, medical group leaders told MGMA that they were especially impacted by supply disruptions to hardware for their IT systems, often postponing or delaying planned upgrades because of item unavailability or price gouging.
In other instances, practices that pivoted to a significant amount of remote working reported “dramatically increased” expenses to improve cybersecurity efforts outside traditional brick-and-mortar facilities.
Other increased IT expenses included higher costs for planned EHR conversions and training for providers and staff, though many respondents noted these were expected to be one-time expenses. Some medical groups opted to divert funds previously allocated for other areas (e.g., marketing) to continue with cybersecurity and system upgrades.
Assessing the threat landscape
The Department of Health & Human Services (HHS) Office for Civil Rights (OCR), as part of its annual congressional report, gives an overview of HIPAA compliance and enforcement actions. In the most recent report covering calendar year 2021, the OCR summary found a 58% increase in large breaches reports since 2017, as well as a 39% increase in HIPAA complaints; however, HIPAA enforcement activities have been relatively low in recent years, due to relaxed regulations during the COVID-19 public health emergency (PHE) and what OCR described as “lack of financial resources.”
A closer look at OCR’s report finds:
- 34,077 new complaints of alleged HIPAA rules and HITECH Act violations, a 25% increase from the number of complaints received in 2020
- Out of 26,420 resolved complaints, the majority (20,661, or 785%) were resolved before initiating an investigation. Another 16% (4,139) were resolved via providing technical assistance rather than launching an investigation.
- Hacking and IT incidents represented the largest category of reported data breaches in 2021 (75%), with the largest category of incidents involving network servers.
- Risk analysis and management were cited as crucial areas for improvement among covered entities, and the report recommended careful review of the HIPAA Security Rule standards and security management process standards.
A recent Healthcare Dive analysis of HHS OCR data found that hacking/IT incidents have surged since 2018, eclipsing all other types of breaches (e.g., theft, loss, improper disclosure, or unauthorized access).
- MGMA members can access a member-benefit guide to flexibilities and policy following the expiration of the COVID-19 PHE.
- MGMA’s HIPAA Breach Toolkit is designed to guide practice executives through the process of determining if a reportable breach occurred and the steps to take if the organization determines that a breach did occur.
- Discover 10 cybersecurity action steps to protect your organization.
JOIN MGMA STAT
Our ability at MGMA to provide great resources, education and advocacy depends on a strong feedback loop with healthcare leaders. Sign up by texting “STAT” to 33550 or visit mgma.com/stat and make your voice heard in our weekly polls sent via text message.
Do you have any best practices or success stories to share on this topic? Please let us know by emailing us at email@example.com.