Although companies and public sector organizations bemoan the time spent complying with federal rules, there are opportunities to improve the process, officials said.
Representatives from state governments and the financial and hospital industries testified Wednesday that they spend too much time working to comply with a cavalcade of duplicative, outdated or contradictory federal rules, although they stopped short of rejecting regulation in principle.
At the House Oversight and Government Reform subcommittee's sparsely attended but provocatively titled hearing, “Regulatory Divergence: Failure of the Administrative State,” officials espoused the need for federal agencies to adopt a unified cross-agency framework for developing regulations, rather than the “siloed” fashion in which rules are typically crafted.
“We’re finding that 43 percent of our resources within compliance and cybersecurity are utilized to reach federal compliance,” said James “Bo” Reese, president of the National Association of State Chief Information Officers and the CIO in Oklahoma’s Office of Management and Enterprise Services. “We’re all for federal compliance, but the challenge is we spend so much time, and duplicative time because of multiple audits, the same ones over and over and with differences that we have to go out and map and find the least common denominator across them.”
Reese estimated his office spends more than 10,000 hours per year working on regulatory compliance issues. And John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, estimated that member hospitals spend upwards of $39 billion per year on administrative activities related to complying with a myriad of federal regulations from the Centers for Medicare and Medicaid Services, the Health and Human Services Department Office of the Inspector General’s Office of Civil Rights and the Office of the National Coordinator for Health Information Technology.
“While federal regulation is necessary to ensure that the health care patients receive is safe and high quality, in recent years, clinical staff, including doctors and nurses, find themselves devoting themselves to regulatory compliance and taking them away from patient care,” Riggi said. “The average community hospital, with 161 beds, spends nearly $7.6 million annually to support compliance with and review of federal regulations, and that figure rises to $9 million for those with post-acute care beds. In another way, the regulatory burden costs $1,200 whenever a patient is admitted to the hospital.”
House Oversight and Government Reform Subcommittee on Intergovernmental Affairs Chairman Gary Palmer, R-Ala., said federal regulations cost the economy $2 trillion annually. But Robert Weissman, president of progressive consumer protection advocacy group Public Citizen, said Riggi and Palmer’s estimations leave out a key consideration: the benefits of regulations.
“The benefits of regulation, even when monetized in a corporation-friendly fashion, vastly exceed the costs,” he said. “We know that because the Office of Management and Budget reviews the cost and benefits of regulations issued each year, and every single year since 2001, the benefits have vastly exceeded the costs at a minimum in the range of 2 to 1, and typically up to 12 to 1.”
In February, OMB released its most recent report on federal regulations, which found that between 2006 and 2016, federal regulations produced between $219 billion and $695 billion annually in benefits, compared with costs, which ranged on an annual basis between $59 billion and $88 billion (reported in 2001 dollars).
Industry leaders said there has been progress in making it easier to deal with states and businesses’ regulatory burden, both through coordination and discussions with regulators and through technological advances. Christopher Feeney, executive vice president at the Bank Policy Institute, said his organization has developed a modified version of the National Institute of Standard and Technology’s cybersecurity framework.
“[NIST] doesn’t exactly harmonize these things, but we coordinate and partner quite actively,” he said. “We took the NIST framework and designed it specifically for the financial industry with their endorsement . . . and they’ve been supportive. Now we’re actively working with them on adding two components: the first is governance, and the second is third-party dependency management.”
Feeney said the financial industry also has compared various regulations and audits to cut down on the amount of duplicative work companies must do in their compliance efforts.
“We were able to . . . take the question set down to about 400 from thousands, and what that does is provides you some latitude in simplifying the diagnostic statements that auditors or examiners use,” he said. “And there are ways to actually apply these types of tools to help the regulators, help the industries—I say that plurally—to really minimize the cost.”