January 2016 HIPAA regulation: The challenge of integrating compliance and patient care
January 2016
HIPAA regulation: The challenge of integrating
compliance and patient care
2
Contents
Introduction 3
HIPAA’s“technologyneutral”structure 3 createsopportunityandchallenge
Compliancecanpavethewayformeaningfuluse 4
Cliniciancommunicationvariesandisexpandingintonewmodes 6
Currentstrategiesleaveroomforimprovement 8
Unifiedcareteamcollaborationplatformsareunderutilized 10
Sources 11
Publishedasasourceofinformationonly.Thematerialcontained hereinisnottobeconstruedaslegaladviceoropinion.
©2016PerfectServe,Inc.Allrightsreserved.PerfectServe®isaregisteredtrademarkandPerfectServeSynchrony™andProblemSolved™aretrademarksofPerfectServe,Inc.
perfectserve.com | 866.844.5484 | @PerfectServe
3
Theexpansionofcommunicationtechnologywithinhealthcareorganizationsinvolvesgreatpromiseandgreatrisk.
Keepinginformationflowingandtherightpeopleconnectedattherighttimecreatespotentialformoreeffectivepatientcareandpopulationhealthmanagement.
Butagreaternumberofmovingpartsalsomeansgreaterrisk.Withpersonalhealthdatamovingatgreaterfrequencythroughanincreasingvarietyofdigitalchannels,thecomplexityofcommunicatinginasecuremannerasmandatedbyHIPAAregulationsisontherise,asistherisktotheconfidentialityandintegrityofpatientdata.
Whilethecomplexitiesofcompliance—andthepenaltiesforbreaches—aredaunting,thetruechallengeofHIPAAregulationsforhealthcareorganizationsistointegratesecuritycomplianceintotheiroverallgoalsofprovidinghigh-qualityindividualpatientcareandimprovingpopulationhealthmanagement.Securecommunicationismandatoryandvitalforpatientconfidentiality,butitisnotintendedtobeabarriertohigh-quality,efficientcare.
Infact,HIPAAregulationsareintendedtomeshwithandprovideafoundationforthekindofproper,efficientexchangeofinformationthatgroundsnewmodelsofcollaborativecare.HIPAA’scoremandateisthreefold:confidentiality,integrityand availability.GettingHIPAAcompliancerightmeansgreatercommunicationand,ultimately,apositiveimpactonpatientcare.Tomakethishappen,healthcareorganizationsneedtoassesshowtheirmemberscommunicate,buildingcomplianceintothemodelinwaysthatenhanceworkflow.FindingsecurewaystoencourageandstreamlinetheflowofinformationcanaligntheneedforHIPAAcompliancewiththetrendtowardgreatercollaborationandthegoalofbetterpatientcare.
HIPAASecurityRuleregulationsrequireallcoveredentitiestosubjecttheirpolicies,proceduresandtechnicalinfrastructuretoongoingriskanalysisandtoimplementacomprehensivestrategytoensureconfidentiality,integrityandavailabilityofelectronicpersonalhealthinformation(ePHI),howeverandwheneveritisstoredorcommunicated.
Introduction
HIPAA’s “technology neutral” structure
creates opportunity and challenge
4
AnymethodofcommunicatingePHImust,undertheSecurityRule,meettechnicalstandardsforAccessControls,AuditControls,Integrity,PersonorEntityAuthenticationandTransmissionSecurity.
However,thelawdoesnotregulateorprovideguidanceonthespecifictechnologieshealthorganizationsmayusetostoreandcommunicateePHI.Thelawisintentionallytechnologyneutral;itdoesnotprescribeorrestrictstorageorcommunicationmethods—itonlymandatesthattheymeetsecuritystandardsintheseareas.
Forhealthcareorganizations,thisisgoodnews.Thelawdoesnotrestrictmethodsofcommunicationorspecifyuseoftechnologiesthatarecontinuallybecomingoutdated.Thisencouragesflexibilityandinnovation,asnewwaysofcommunicatingcanfuelnewwaysofcoordinatingcare.
Thelawpermitsindividualorganizationstoassessandadoptthetechnologiestheyfeelwillbestservetheiroverallgoalsandstructure.
However,thisflexibilityalsocomesataprice.Theburdenfallsonhealthcareorganizationstostructuretheircommunicationstrategies,proactivelyvettingandchoosingtechnologiesthatfitinwithoverallhealthcaregoals.Theyalsomustensurethateveryaspectofthewaytheyhandlesensitivepersonalhealthinformationissecure—everymethodofcommunication,everydevice,everysoftwareplatform,everynetwork.Asmethodsofcommunicationchangeandproliferate,thetaskbecomeslargerandmorecomplex,requiringgreaterstrategicplanningandmoreorganizationalresources.
Facingthischallenge,organizationsmaysimplyfocusonorfeeloverwhelmedbythetechnicalcomplexityofbringingtheircommunicationsintocompliance—losingsightofalargerpotential.TheflexibilitywithintheSecurityRuleisessentialtoachievingitsthirdcoretenet: availabilityofinformation.Theabilitytostoreandtransmitdatasecurelymeansthatitcan be sharedamongallthoseonthecareteam—keepingtherightpeopleinformedinatimelymanner.AccordingtotheDepartmentofHealthandHumanServices,“permittingtheappropriateaccessanduseofthatinformation,ultimatelypromotestheuseofelectronichealthinformationintheindustry—animportantgoal
Compliance can pave the way for meaningful use
5
ofHIPAA.”1Securitycomplianceactuallyencouragestheexchangeofinformationthatcanbringaboutgreaterefficienciesandbetteroutcomesinourhealthcaremodel.
Theintenttodovetailcompliancewithcoordinationimprovementsisexemplifiedinthepushtoencourage“meaningfuluse”ofelectronichealthrecords(EHRs).Startingin2011,theCentersforMedicare&MedicaidServices(CMS)beganadministeringanincentiveprogramtopromotethetransitiontoelectronichealthrecordsystems.Thegoalsofthisprogramarenotonlytosolidifypatientdatasecuritybutalsotoenhancetheabilityofhealthcareorganizationstousethatdatainmeaningful ways. SecuringdataincompliancewithHIPAAregulationthroughanEHRcannotonly“maintainprivacyandsecurityofpatienthealthinformation,”butalsoenablehealthcareorganizationsto“improvequality,safety,[and]efficiency,andreducehealthdisparities;engagepatientsandfamily;[and]improvecarecoordination,andpopulationandpublichealth.”2
Whilerelatedtoasingleaspect(EHRs)ofthedatastorageandcommunicationtechnologiescoveredbytheSecurityRule,themeaningfuluseprogramcrystalizesthepotentialthatsecurecommunicationsystemshold.Theabilitytostoreandcommunicatedatasecurelymeanstheabilitytousethatdataresponsiblyandcreativelytoimprovedeliveryofqualityhealthcareforindividualpatientsandsystem-wide.ThestagesofameaningfuluseEHRprogramdefinedbyCMS[Table 1]showhowsuchtechnicaladvancescouldhavefar-reachingeffectsonmanyaspectsofourhealthcaresystem,frompublichealthinitiativestogreaterengagementofpatientsandfamiliesintheirowncare.
Ultimately,itishopedthatmeaningfuluseofHIPAA-complianttechnologieswillresultin:
• Betterclinicaloutcomes
• Improvedpopulationhealthoutcomes
• Increasedtransparencyandefficiency
• Empoweredindividuals
• Morerobustresearchdataonhealthsystems3
Thisvisiondepends,however,onsystemsthatcanmeetthetechnical
6
securitystandardsrequiredbyHIPAA,andstreamlineworkflowandimprovecliniciancommunication.
Stage 1: Meaningful use criteria focus on:
Stage 2: Meaningful use criteria focus on:
Stage 3: Meaningful use criteria focus on:
Electronicallycapturinghealthinformationinastandardizedformat
Morerigoroushealthinformationexchange(HIE)
Improvingquality,safetyandefficiency,leadingtoimprovedhealthoutcomes
Usingthatinformationtotrackkeyclinicalconditions
Increasedrequirementsfore-prescribingandincorporatinglabresults
Decisionsupportfornationalhigh-priorityconditions
Communicatingthatinformationforcarecoordinationprocesses
Electronictransmissionofpatientcaresummariesacrossmultiplesettings
Patientaccesstoself-managementtools
Initiatingthereportingofclinicalqualitymeasuresandpublichealthinformation
Morepatient-controlleddata
Accesstocomprehensivepatientdatathroughpatient-centeredHIE
Usinginformationtoengagepatientsandtheirfamiliesintheircare
Improvingpopulationhealth
ThechallengeoffindingthebestHIPAA-compliantcommunicationstrategiesisparticularlypressingas,inthesearchtoimprovepatientcarethroughcliniciancoordinationandpatientcommunication,healthcareorganizationsareincreasinglyrelyingonacomplex,often ad hoc,arrayoftechnologiesandcommunicationplatforms.Thecurrentworkflowandcommunicationmodelishigh-volumeandintricate.
Clinicianscoordinatecarewithinnetworksandwithexternalpartnersusingahostofdevicesandapplications,generatingahigh
Table 1
Source: www.healthit.gov/providers-professionals/how-attain-meaningful-use
Clinician communication varies and is expanding
into new modes
7
volumeofcontacts.InananalysisofPerfectServedatafromthreehospitals,representinganaggregateof774bedsand54,000annualadmissions,cliniciansinitiatedmorethan680,000callsandmessagestoapproximately900physiciansannually.InarecentonlinestudyconductedbyHarrisPollonbehalfofPerfectServeamongvarioushealthcareprofessionals,datafurtherrevealstheintricacyofthesystem.Phonecalls,textmessages,email,EHRs,locatinganindividualforaface-to-faceconversation—allareusedwithvaryingfrequencyaccordingtothepreferencesoftheindividualclinician,thetypeandcomplexityofinformationsought,andwhethertherecipientofthemessageiswithintheclinician’sorganizationorisanoutsidepartner.4Recentdataalsoindicatesthatmultipleplatformsratherthanaunifiedsystemisthenorm:inastudyofnearlyonethousandhealthcareprofessionals,69%indicatetheirorganizationusesmultipleapplicationsandtechnologiesforsecurecommunication.5AnorganizationmustaccountforallofthesemethodsinassessingrisktopatientdataandmustensurethatallmethodsmeetthesecuritystandardssetbyHIPAA.
Additionally,healthorganizationsareusinganeverbroaderandmoretechnicallycomplexsystemofcommunicationstooptimizepopulationhealthmanagement[Table 2].Thesemethodsservetoimprovequalityandavailabilityofcare,butalsorelyonthetransmissionofpatientdata.Morecontactsandmoremethodsofcommunicationbetweencliniciansandtheirpatientsmeanmorepointsatwhichthathealthdatacouldbevulnerableandmoresystemstobringintocompliance.
8
Thus,therealityofhowclinicianscommunicatecreatesamazeofcommunicationtechnologiesforhealthcareorganizationstosubmittoriskanalysisandbringuptosecuritystandards.Ashealthcareorganizationscontinuetoembracecollaborationandthebreadthofcommunicationtechnologiesthatmakeitpossible,HIPAAcompliancewillonlybecomemorecomplex.
Howsuccessfularehealthorganizationsinmeetingthischallenge?
Studiesshowthatwhilemosthealthcareorganizationsareprioritizingdatasecurity,currentstrategiesleavesignificantfrustrationandroomforimprovementbothincompliancestrategiesthemselvesandintheintegrationofcompliancewithimprovedworkflow.
OrganizationshaveHIPAA-complianceriskmitigationstrategiesinplaceandmanyareworkingtoimprovetheminthewakeofrecentdatabreaches.Arecentsurveyshowsthevastmajorityworkinagroupthat
Table 2
Source: Harris Poll, April 2015
Q920: Which of the following technologies does your organization currently use or
plan to use within the next 12 months to optimize population health management?
Base: All Qualified Respondents (n=955)
Current strategies leave room for improvement
Follow-up patient phone calls
Online patient portals
Unified secure communication platform
Patient text reminders/updates
Telemedicine
Remote coordinations
Remote monitoring
Mobile care team communications
Video conferencing
Currently use Plan to use within the next 12 months
Remote consults
0% 20% 40% 60% 80% 100%
83%
74%
46%
41%
39%
36%
32%
32%
36%
31% 23%
19%
24%
25%
24%
22%
26%
25%
16%
10%
9
hasanofficialriskmitigationstrategy,and4outof5(83%)believethatsecurecommunicationisatoppriorityfortheirorganization;nearlyhalfindicatetheirgrouphasmadechangestothatplaninlightofrecentprominentdatabreaches.6
Butthesolutionsmostrelyonarenotideal.Despitetheoverallemphasisonsecurityandleveloforganizationalcommitment,frustrationanddissatisfactionexistwithmethodsofsecurecommunication,patientdataisstillbeingtransmittedinunsecureways,andbarrierstocommunicationareimpactingpatientcare.Therecentsurveyindicatesthat:
• Formost,thestrategiesnecessaryforcompliancehavenotbeenneatlyintegratedintotheirworkflow:61% feel that HIPAA regulations pose an obstacletoefficientcommunicationsandcollaborationwithintheircareteam.
• Complianceisapriority,butthetoolsavailablearenotalwaysuptothetask:nearly 3 in 10 (29%) are dissatisfied with the secure communication technologyintheirorganization’scurrentstrategy.
• Despiteefforts,thefailureofhealthcareorganizationstocreateaunified,completesystemistheprimarysourceoffrustration:the most commonly cited reasons for dissatisfactionarethevarianceincommunicationtechnologiesusedbydifferentmembersoftheorganization(68%)andthefailuretohavesecurecommunicationaccessibletoallmembersoftheorganization(55%).Lack of uniformity in the system and universal access to all team membersaremuchstrongerfactorsindissatisfactioneventhantechnicaldeficienciessuchasoutdated,unreliablesoftwareorprogramsthatarecomplicatedtouse.
• Whenawebofdisparatetechnologiesisinplaceandnoteveryoneisincludedinthesamesystemofcommunication,collaborationandefficientpatientcarefaceahurdle:7 in 10 clinicians (69%) indicate that patient care is often delayedwhiletheywaitforinformationaboutapatient.7
Thegapsinanorganization’sstrategycanalsoleadtofailuresincompliance,leavingpatienthealthinformationvulnerabletoexposureorcorruption.Despitetheemphasisoncommunicationsecurityand
84% Indicatetheirhealth
organizationhasariskmitigationplanforHIPAA
46% Saytheirhealth
organizationhasinstitutedsecuritymeasuresin
responsetonewsof2014healthcaredatabreaches
61% AgreethatHIPAA
regulationsposeanobstacletoefficientcommunicationandcollaborationwithin
thecareteam
10
thestrategiesinplace,13%ofhealthcareprofessionalsadmitthat,inordertofacilitatepatientcare,theyhavesentpatienthealthinformationthroughunsecuretextorvoicemessageswiththeirpersonalsmartphoneinthepastyear,and21%acknowledgehavingreceivedunsecurecommunicationsfromcolleaguesviathesamemannerforthispurpose.8
Whilebreachesoccurformanyreasons,themajoritycanbetracedtoinadequatelyplannedprocessesandtoolsorganizationsdevelopinternallytomanagethiscomplicatedlandscape.A2015PonemonInstitutestudyofePHIsecuritybreachesindicatesthattheunderlyingcausesofthesebreakdownsaremostoftenanadhocprocess(34%)oramanualprocessortooldevelopedbytheorganizationitself(27%).Incidentstracedtoanautomatedprocessorthird-partysoftwareoccuratamuchlowerrate(13%).9
Forhealthcareorganizationsthatareincreasinglyembracingmorecollaborativecaremodelsandthetechnologiesthatmakecaremoreaccessibleandefficient,theanswertoHIPAAcompliancemustfocussimultaneouslyondatasecurity and availability.Inaworldofrapidlyexpandingcommunicationmethodsandapplications,pointsatwhichthecommunicationmodelcanbestreamlinedaswellassecuredcanreducetheburdenofongoingriskmanagementonorganizations.
Aunifiedcareteamcollaborationplatformcanhelporganizationssimplifytheirriskmanagementstrategy,relyingonasingleintegratedsystemratherthantrackingandjugglingmultiplesystems.Itcanalsoamelioratethetwomaincausesofdissatisfactionwithsecurecommunicationwithinhealthcareorganizations:notallmembersusingthesametechnologiesandnotallmembershavingaccesstosecurecommunicationtechnology.
However,thisstrategyisnotbeingaswidelyimplementedasitcould be,withnearly7in10(69%)healthcareprofessionalsreportingthat theirorganizationdealswithmultipletechnologiesratherthanone unifiedplatform.
Asorganizationsreviewandworktoimprovetheirriskmanagementstrategies,aunifiedcommunicationsplatformcanbeanimportantpieceofthemovetowardintegratingHIPAAcompliancewiththebestpatientcareandpopulationhealthmanagementpossible.
Unified care team collaboration platforms
are underutilized
11
1. “Security101forCoveredEntities.”HIPAASecuritySeries:Volume2,Paper1.DepartmentofHealthandHumanServices.2007.Availableathttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.
2. https://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives.AccessedDecember7,2015.
3. https://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives.AccessedDecember7,2015.
4. PerfectServeSurveyResults,April2015.HarrisPoll. ThePerfectServesurveywasconductedonlinebyHarrisPollonbehalfofPerfectServebetweenFebruary12andMarch6,2015.Theresearchwasconductedamong955medicalprofessionalsinthefollowingoccupations:hospitalist(n=150),primarycarephysicianinanoffice(n=150),specialistphysicianinahospital(n=102),specialistphysicianinanoffice(n=101),hospitaladministrator(n=170),officemanager/practiceadministrator*(n=81),nurseinahospital(n=101)andcasemanager(n=100).Office-basedrespondentsworkinanofficewith25ormorephysicians.Hospital-basedrespondentsworkinahospitalwith200ormorebeds.Physicianrespondentsaredulylicensedinthestatewheretheypractice.Datawerenotweightedandareonlyrepresentativeofthosewhocompletedthesurvey. *Nineofficemanagers/practiceadministratorsworkinanofficewithfewerthan25physicians. Whenreferringtothisstudy,“clinicians”indicatesasubsetofrespondentsexcludingadministrators.Thesubsetincludeshospitalist(n=150);PCPoffice(n=150);specialtyphysician,hospital(n=102);specialtyphysician,office(n=101);nurse,hospital(n=101);andcasemanager(n=100),foratotalbaseofn=704.
5. PerfectServeSurveyResults,April2015.HarrisPoll.
6. PerfectServeSurveyResults,April2015.HarrisPoll.
7. PerfectServeSurveyResults,April2015.HarrisPoll.
Sources
12
8. PerfectServeSurveyResults,April2015.HarrisPoll.
9. PonemonInstitute,FifthAnnualBenchmarkStudyonPrivacy&SecurityofHealthcareData,May2015.Availableat http://www.ponemon.org/library/fifth-annual-benchmark-study-on- privacy-security-of-healthcare-data.