Data – not only does it continue to be one of the biggest buzzwords, but its impact and possibilities for the healthcare industry continue to have many insiders excited this year. At a time when pressure is being placed on the healthcare industry to reduce costs across the board, data continues to come up in conversation as one of the keys to success because of its potential for increased efficiencies and effectiveness in providing more comprehensive medical care.
However, many questions still remain: how do we get our hands on it; how do we use it; how do we share it; and most importantly, how do we keep it safe? The latter being of particular importance to healthcare organizations because of the strict regulations placed on the industry and the high costs of non-compliance.
As the healthcare industry becomes more and more digital, thanks to the implementation of Electronic Healthcare Records (EHR) and Health Information Exchange (HIE), more and more patient data is being accessed electronically and available for instantaneous sharing. On one hand, this streamlined process helps to improve the quality, safety and efficiency of health care, but on the other hand, it raises many red flags as to the security of the data and, ultimately, the patient.
The U.S. Department of Health and Human Services (HHS) is feverishly trying to address security concerns by implementing rules and provisions that require strict compliance to decrease the number of data breaches each year that put sensitive patient information at risk. In January 2013, HHS released the “HIPAA Omnibus Rule,” a set of final regulations that modified the privacy, security and enforcement protections of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, by implementing a number of provisions from the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. Here’s a look at some of the highlights from the Omnibus Rule in three focused areas:
- Patients can request access to their medical records in electronic form
- Patients must be notified if their Protected Health Information (PHI) is subject to breach
- Prohibits sale of an individual’s private information without their consent, and details new limits on how patient data can be used in marketing and fundraising efforts
- To assess if patient information has been comprised, the liable entity must conduct a risk assessment
- Any breach, regardless of its content, must be treated as a breach whereas in the past incidents were considered exceptions to the rule
- Penalties for non-compliance are based on levels of negligence with a maximum penalty of $1.5 million per violation
- Many requirements extend to business associates of health care providers, health plans and other entities that process health insurance claims, including contractors and subcontractors
While the regulations are certainly helpful in understanding the requirements and associated expectations placed on these entities, the digital world is moving at a much faster pace than the governing bodies can keep up with, and as such, the regulations can become outdated even as they’re being released. This reactive nature creates the largest challenge of all for privacy and compliance.
Remaining in a Constant Working Posture
For every industry, there are multiple regulating bodies, hundreds in many cases, that help proactively enforce government regulations. Organizations can obtain accreditations and certifications to ensure compliance with all current and applicable government regulations and develop a constant working posture to seamlessly adapt when new guidelines emerge.
Beyond the required safeguards, industry experts offer the following tips for compliance as it relates to data management:
Create Data Experts – It’s always important to train all employees, but when it comes to dealing with patient data, training is paramount and ongoing with regular programs occurring on a monthly and annual basis.
Set Up a “Command Center” – Coordination between all parties involved is key, necessitating a “command center” to ensure an efficient and streamlined flow of data collection, sharing and integration. Often, this role is played by a third-party organization, such as a contact center.
Open Communication Channels – All parties need to be aligned when it comes to data sharing, which calls for open communication across multiple channels. Creating an open dialogue between all stakeholders is critical for successful data management.
Enlist a Trusted Partner – With the high risks involved when dealing with patient data, it’s a good idea to enlist a trusted partner to provide expertise in a particular aspect of the data management process, or to serve as the “command center” as listed above. Whoever organizations choose as their partner, they must ensure they have a strong commitment to compliance and data security.
Rely on Industry Accreditations – Industry accreditations help ensure that organizations are complying with the associated regulations. It’s a best practice to apply for all applicable accreditations to ensure full compliance, and to evaluate any and all partners based on those same accreditations especially now that all business associates will be held liable.
As the Director of Corporate Compliance and Security, Tom Browning is responsible for the Quality Management System and Privacy program at Telerx. Additionally, he is the subject matter expert for all security related matters, including internal investigations, breaches, and privacy safeguards for sensitive program areas. He assures compliance with client expectations, Telerx corporate and program level policies and Standard Operating Procedures (SOP), and adherence to state and federal regulations. Tom also oversees the HIPAA program, EHNAC Accreditation, contracts, and M&A due diligence and integration. He serves as Managing Representative of Telerx’s ISO 9001 Quality Management System, and as the overseer of Privacy.