Activating the Board Be an active voice. Know your audience. Be ready with a consistent message that is tailored to the person or group receiving it. Boldly lead conversations about the future of care. Healthcare leaders are carrying so much weight as they fight to advance access and continue serving their communities. The board’s voice is needed in support of this work. Don’t fall into the victim trap. People have their own financial challenges—often including medical bills. Educate the executive but do it from a patient/consumer-centric perspective, focusing on their concerns and not those of the hospital. Recognize the emotion. These conversations about money and health are deeply personal for people. Engage people with the knowledge that the finances of their healthcare, their access to a physician they trust, matter deeply. Start early. In fact, start before you need to. Engage with media, lawmakers, community leaders, patients, and payers to talk about the challenges facing the community—again, as a team player in partnership with the executive team. Build trust and collaborate so that when things get tense, you already know the people you’re talking to. Use the media wisely. Remember that newsrooms, like operating rooms, are running on a staffing shortage. Give reporters pared-down messages that use clear yet compelling language. Appeal to emotions. Remember that talking to the media is talking to the public. Partner with your leadership. In all the above, work closely with your health system’s leadership team, working in harmony with them to advance the organization’s goal. Being active and bold is not a call for board members to take matters into their own hands—which can lead to negative unintended consequences. Instead, partner with the executive team to develop a clear, consistent message and plan for getting it out to relevant stakeholders.

Healthcare’s halo has slipped.

The powerful goodwill that largely shielded hospitals and health systems from rocking political waves and funding challenges over the last century is steadily eroding. The generous assumption that hospitals and health systems are operating in a manner consistent with their stated mission can no longer be taken for granted.

In the face of an onslaught of scrutiny and criticism from private and government voices, only 51 percent of Americans now believe hospitals and health systems are meeting the needs of their community, and the majority say hospitals are more focused on making profits than treating patients, according to our firm’s research.¹

This reputation erosion is costly. It has bottom-line consequences.

A health system’s ability to command appropriate reimbursement from government and private payers, protect its market share, and leverage its strength in workforce discussions is facing material challenges. Left unchecked, a health system’s ability to determine its own future and the delivery of care in its community is in question.

As an industry, there is urgent work to do and board members have a vital and unique role to play in it.

Four Hot Buttons

Let’s look at four of the most heavily scrutinized issues today and the challenges they pose.

Community Benefit and Tax-Exempt Status: Watch Your Language

Lawmakers, media, and advocacy groups are challenging the tax-exempt status of many not-for-profit providers. These voices make the assertion that the value of a hospital’s tax breaks should equal the dollar amount of the charity it provides, using a narrow definition of charity that is less than, well, charitable to healthcare systems.

As such, boards, leadership, and marketing teams need to reframe how they view terms such as “value,” “quality,” and “experience.” They also need to sharply define “charity care” itself. Those words often mean different things in the public’s mind than they do in your finance committee. The public may define “quality” as “my own experience or relationship with a provider,” “patient experience” as “how I’m treated when I press the call button or when it’s time to pay my bill,” and “community benefit” as “the amount of free care provided.”

Encourage your leadership team to start your communications, marketing messages, and even community benefit reports using the language and perspective of your patients. Begin with your vocabulary. A common language is the first step to finding common ground.

Billing and Cost of Care: Educate and Review Processes

The high cost of care is one of the nation’s leading political issues. National media regularly seek out and expose health system bills and collection processes. The anger and pain expressed in many stories are justified when viewed from the patient’s perspective, compelling lawmakers to be more aggressive in their efforts to do something about the cost of care.

Encourage your leadership to review your organization’s billing and collections practices—to know well and accurately how your organization (and its contractors) is handling all aspects of billing—and then, ensure those practices are aligned with your mission. If you’re not sure if your organization is suing the poor and vulnerable for a handful of dollars, find out and address it.

Board members can be active voices in educating the public—through the media, conversations with lawmakers, and in one-on-one conversations—about how the finances of healthcare work. It is vital to connect the dots between policies like 340B and how changes to reimbursement and billing affect the viability of provider organizations. The point is not to shift blame or to play the victim, but to communicate clearly about how the pieces fit together in an admittedly flawed system.

Partnerships and Consolidation: Share the “Why”

Consolidation is often necessary today, particularly for independent or rural hospitals at the crossroads of partnership or diminishment, if not closure. At the same time, consolidation is not a panacea, and it does at times lead to tradeoffs.

Because these transactions can be deeply political events within the organization and the community it serves, leaders must ensure sensitive, authentic conversation, messaging, and stakeholder engagement.

Boards can help provide this nuance. As stewards of their organization, board members are in a unique position to explain why a partnership is necessary. “Yes, we need better rates to survive. Yes, we need the efficiencies and access to the administrative and supply chain of a larger system to reduce costs. And yes, our goal is to lower the cost of care. But the first priority is to maintain or expand access.”

Transparency is vital. Don’t overstate the benefits and don’t hide the potential drawbacks. Show what you expect to happen and how you’re going to pursue that outcome while listening to community concerns. This approach brings people together to be part of the process, creating advocates, not opponents.

Payer Issues: Seek the Sustainable

The stakes are high in today’s contract negotiations between payers and providers. Hospitals are desperate for updated and fair terms. Without proper reimbursement, emergency departments, service lines, critical services, and even facilities themselves are at risk. Meanwhile, payers are working to ensure that they fulfill their business imperatives and shareholder obligations.

Employers, particularly large, self-funded employers, are key stakeholders on the periphery of these negotiations. After all, the care you offer is important to their employees and much of the cost of care comes from their bottom line. It’s a conversation for patients and community members, too, with a focus on the care needed for them and their families.

While payers and health systems can find themselves in great tension, innovative organizations are exploring creative partnerships with payers, acknowledging a convergence between payers and providers in the shift toward a more value-driven future. Boards can urge leadership teams to look beyond the immediate payer entanglements to advance a different, more sustainable model.

Conclusion

The common denominator of those issues? Money. Specifically, what it takes to deliver care in today’s economy and the investment needed to ensure care is delivered tomorrow, too. The healthcare economy is a byzantine maze and does not function as consumers expect or want. Boards can be unique, community-minded translators and advocates because they are in a unique position as healthcare leaders. They will hear questions that won’t be asked of executive leadership teams and can say things hospital leaders will not hear and cannot say.

It’s rarely been more universally important for boards to use their position as stewards of hospitals—with all the context and relationships that come with it—to proactively advocate for these vital organizations where care is delivered.

The Governance Institute thanks David Jarrard, Chairman, Jarrard Inc. Executive Committee, for contributing this article. He can be reached at djarrard@jarrardinc.com.

---

¹David Jarrard, “A Trust Fall,” Jarrard, October 7, 2023.

Key Board Takeaways Conduct board education around your organization’s privacy and security compliance obligations, board members’ fiduciary responsibility for managing cyber risk, and their personal liability exposure in the event of failure to exercise oversight of these matters. Ensure the board is regularly informed about your hospital or health system’s cybersecurity compliance program and that vulnerabilities are promptly addressed. Keep the board updated on relevant legal developments that illustrate the significance (e.g., financial cost, reputational harm, and community impact) of cybersecurity oversight failure.

While the U.S. healthcare regulatory landscape is constantly changing, an area that directly touches healthcare and has experienced significant change over the last year after being stagnant for almost a decade is that of privacy and security.¹ The privacy regulatory landscape has been overhauled in the last year with the signing of at least 10 new state consumer privacy laws and other state health information privacy laws, such as Washington’s My Health My Data Act and Nevada’s Consumer Health Data Privacy Law.²

With the increased deployment of artificial intelligence, the rise in cybersecurity incidents, and important legal changes, hospital and health system boards should be aware of their organizations’ privacy and security compliance obligations and their role in protecting their organizations, as well as their personal liability exposure in the event of failure to exercise oversight of these matters.

New SEC Rules on Cybersecurity

In July 2023, the U.S. Securities and Exchange Commission adopted new rules requiring public companies that are subject to the reporting requirements of the Security Exchange Act of 1934 to disclose material cybersecurity incidents and information regarding cybersecurity risk management, strategy, and governance.³ The new rules also require disclosures about a company’s process for assessing, identifying, and managing material risks and the effects of risks from threats and incidents, in addition to the board’s role of oversight and management’s role in assessment and management. Specifically, registrants must now:⁴

• Describe the board’s oversight of risks from cybersecurity threats.
• If applicable, identify any board committee or subcommittee responsible for oversight.
• Describe the process by which the board or such committee is informed about such risks.

For-profit publicly traded health systems, among other publicly traded healthcare organizations, became subject to these requirements when the amendments went into effect on September 5, 2023. As a result of these new rules, reporting companies must now disclose more information about their cybersecurity practices, including the role of the board in oversight, which may lead to increased personal exposure of directors for cybersecurity incidents.

Civil Liability for Poor Oversight

The disclosure of the names and roles of publicly traded directors who have cybersecurity oversight responsibility may make them easier targets in litigation for falling short in their duties, as is evidenced by years of shareholder derivative lawsuits alleging breach of fiduciary claims, among others, against officers and directors of companies in the wake of significant and highly public data breaches. These claims often involve allegations of breach of fiduciary duties and wasting of company assets. Plaintiffs also often assert securities fraud claims.

Shareholder derivative lawsuits brought against officers and directors relating to cybersecurity oversight failure are not a new trend.⁵ However, we have now seen enough litigation and settlements in this area to know that the litigation is a serious headache for those named as defendants and that resolution can be expensive. For example:

• Following a 2017 data breach involving the data of 143 million consumers by a consumer reporting company, plaintiffs filed a securities class action against the company and its officers and directors.⁶ Plaintiffs alleged, in part, that the company made misleading statements about the company’s systems, failed to take basic precautions, and failed to adequately monitor. The case was ultimately settled for $149 million.
• In 2019, former directors and officers of a large technology company agreed to pay $29 million to settle a consolidated class action lawsuit claiming they breached their fiduciary duties following a data breach involving 3 billion data subjects.⁷ In this case, the plaintiffs alleged, in part, that the directors and officers breached their duties by hiding the data breach from shareholders and the public.⁸ The plaintiffs further claimed that the directors did not observe industry standards, respond to breaches, or train staff.⁹
• Investors filed a similar action in 2020 against SolarWinds Corporation and its officers, including its former CEO, Executive Vice-President, Chief Financial Officer and Treasurer, and VP of Security Architecture, following a data breach that resulted in the company’s investigation by the SEC regarding its cybersecurity disclosures and statements.¹⁰ Among the plaintiffs’ claims were claims for misleading investors about the company’s cybersecurity posture and failing to take action around cybersecurity.
• In 2021, shareholders filed a securities class action against board members of a telecommunications company as a result of a data breach that exposed the personal information of 54 million consumers.¹¹ The plaintiffs alleged, in part, that the board breached its fiduciary duty by failing to have effective internal controls and failing to respond to red flags showing inadequate controls. Plaintiffs further alleged that the board was aware of substantial security risks and misrepresented them in SEC filings.¹²

Criminal Liability for Concealment and Egregious Actions

Poor cybersecurity oversight can rise to potential criminal liability where officers and directors have knowledge of the breach and intentionally conceal it, where cybersecurity preparedness falls below industry standards, or where misleading statements are made about preparedness. The conviction of Uber’s Chief Security Officer arising out of his response to the 2016 hack of Uber was a landmark event. While the actions of the former CSO were egregious, the conviction garnered the attention of cybersecurity officers nationwide.

Risk Mitigation

The fiduciary duties of officers and directors have not changed yet there appears to be appropriately higher expectations about cybersecurity oversight and a commitment to hold those in charge accountable for failure in oversight. Officers and directors should continue to remain informed about their organization’s cybersecurity compliance program and ensure that vulnerabilities are addressed. Regular reporting from the Chief Security Officer or his/her designee can help board members stay abreast of issues and remain sensitive to their importance. Officers and directors must exercise a duty of care, which requires them to stay informed, be attentive, and act in the best interest of their organizations. Failure to respond to breaches, ignoring industry standards, and misrepresenting the strength of the cybersecurity program, among other things, are clearly not in an organization’s best interests and fall beneath the standard of attentiveness of a reasonably prudent director.

Not only are cyber events expensive, the consequences can impede the delivery of healthcare in a community if a hospital or health system is unable to operate as a result, which can have a potentially devastating impact. In 2022, the Office for Civil Rights called on providers to strengthen their cyber posture following cyberattacks in 2021.¹³ Recent years are not different, and hospital and health system boards can make a difference by keeping cybersecurity top of mind.

The Governance Institute thanks Carolyn V. Metnick, J.D., LL.M., Partner, Sheppard Mullin, for contributing this article. She can be reached at cmetnick@sheppardmullin.com. The author would also like to thank her colleague Esperance Becton for her research assistance.

---

¹There have been few exciting developments in U.S. privacy law since the HIPAA Final Omnibus Rule with the exception of the rollout of the California Consumer Privacy Act and perhaps the New York Department of Financial Services Cybersecurity Regulation.

²Connecticut recently amended its Data Privacy Act to adopt consumer health privacy protections.

³The rules were published in the Federal Register on August 4, 2023, and are available at 88 FR 51896.

⁴Ibid; see “Final Amendments.”

⁵See Carolyn Metnick, “Cybersecurity Responsibility and Accountability: What Directors and Officers Must Understand about Managing Data,” BoardRoom Press, The Governance Institute, August 2016.

⁶Kevin M. LaCroix, “Equifax Data Breach-Related Securities Suite Settled for $149 Million,” The D & O Diary, February 17, 2020.

⁷In re Yahoo! Inc. Securities Litigation (Case No. 17-CV-00373-LHK).

⁸Annette M. Bevans, “Directors Beware: Yahoo Derivative Breach Settlement—What It Means for Personal Exposure of Directors for Cybersecurity Breaches,” American Health Law Association, October 4, 2019.

⁹Ibid.

¹⁰In re SolarWinds Corporation Securities Litigation

¹¹Kevin LaCroix, “Data Breach-Related Derivative Suit Filed Against T-Mobile USA Board,”The D & O Diary, November 30, 2021.

¹²Ibid.

¹³Lisa Pino, “Improving the Cybersecurity Posture of Healthcare in 2022,” HHS, February 28, 2022.

Key Board Takeaways Commit to oversight. The board is ultimately accountable for the performance of the organization. As such, a top priority should be ensuring the medical staff leaders and hospital executives fulfill their responsibilities and keep the board informed. This includes discussing mission-critical issues and taking timely action. Ensure strong processes and procedures. The board should make sure the organization has clear and effective processes and procedures (consistent with regulatory and best practice standards) to guide the organization in becoming highly reliable. Hold executives accountable for overall performance. These leaders should report on how they are cultivating a culture of safety, developing highly reliable systems and processes, and enabling effective performance management. Hold medical staff leaders accountable for individual provider performance. These leaders should report on a robust peer review process, comprehensive performance management, and stringent credentialing and recredentialing processes.

We have all cringed reading the headlines: another hospital or health system whose reputation is at risk as a result of errors and patterns of unsafe—and even harmful—care come to light. What brought them to this place? And how can you ensure your organization doesn’t follow a similar course?

As leaders in our communities, we are all striving toward the same goal of providing safe, high-quality care—something that’s becoming even more important with the many distractions and disruptions in healthcare today. The reality is that healthcare is inherently fraught with risks and complexities, so achieving our chief goal won’t happen without the right system in place.

You may have heard the oft-cited quote, “Every system is perfectly designed to get the results it gets.” This is where high reliability comes in. High-reliability organizations are ones that are set up to produce predictable, high-quality results and safety in a complex and high-risk environment. Hospitals and health systems that work at being high-reliability organizations are in a continuous state of self-monitoring and optimization. The result is not only a consistently high degree of quality and safety but also across-the-board benefits for the organization. Boards of such organizations can be confident that the design of their system will produce the desired results—and not those undesired headlines.

High Reliability Improves Quality and Ratings and Rankings

If you’re wondering how being a high-reliability organization differs from performing well in national quality ratings and rankings, you’re not alone. The two are closely related but—importantly—not the same.

When organizations are seeking to improve ratings and rankings, the question often arises: Do efforts to improve ratings and rankings lead to actual clinical outcomes improvement, or does improving quality and safety lead to better ratings and rankings?

The answer to both is “yes”—if you take the approach of high reliability. And this is crucial. Healthcare organizations often undertake limited efforts to boost their ratings and rankings. But it becomes an added burden on already overburdened staff, and it often produces variable results.

For optimal results and to get staff on board, your quality and safety efforts can’t be one-off initiatives—just “one more thing.” Rather, it needs to be the way your organization operates. Your organization is taking a holistic approach to building the resilience that counteracts errors that can so easily happen in healthcare every day. It also can’t just be an effort put on the frontline staff. Being a high-reliability organization requires an integrated and aligned structure from the board level down to the front lines of care delivery and back again.

The results speak for themselves. For instance, a 500-bed academic medical center on the East Coast had a traditional risk-based patient safety program but still was seeing poor ratings and rankings with Vizient, Leapfrog, and value-based care performance programs. Within two years of moving to a transparent, reliability-based organization, the organization had achieved top-decile performance across all ranking programs.

High-Reliability Benefits Go Beyond Quality, Safety, and Reputation

Achieving high reliability should address not only quality and safety concerns and optimize the organization’s reputation but also help improve many other pressing concerns. That includes:

• Lowering the per-unit cost of care
• Reducing inefficiencies
• Limiting liability exposure and expense
• Optimizing reimbursement through value-based care programs and clinical documentation improvement
• Optimizing staff engagement, retention, and well-being

Key Elements for Success

Several elements are essential for becoming a high-reliability organization. They include:

1. Get everyone onboard. Starting with board-level support, the main objective is to engage the entire organization—from top to bottom. Frontline engagement is critical, as these individuals know what the problems are and how to solve them. Even often-overlooked staff like administrative support and food service workers can make valuable contributions.
2. Understand your quality methodology and make it your North Star. Ratings and rankings can help support organizational goals and provide external benchmarks to work toward. But leaders must recognize both their limitations and desired uses.
3. Empower and align your people. The real key is to align the organization and make it accountable from the very top down to the front line and back up again to the board. The entire organization needs to know what the priorities are and be equipped to drive performance forward.
4. Communicate, measure, and close the loop. The best system is bidirectional, putting people in the right position of authority and accountability and fostering innovation. That includes clearly messaging how strategic and annual plans apply to quality and safety, elevating problems and innovations identified at the front line, confirming actions taken, and measuring results.

Can You Afford to Focus on High Reliability?

Many organizations consider high reliability as yet another priority to invest in when in actuality, high reliability is the priority you can’t afford not to invest in. The truth is that it pays dividends for itself financially and operationally—and most importantly, in achieving a well-deserved reputation for providing safe, high-quality care.

The Governance Institute thanks Andrew Resnick, M.D., Chief Medical and Quality Officer at Chartis, for contributing this article. He can be reached at aresnick@chartis.com.