As compliance regulations tighten for healthcare organizations, many executives that have allowed these practices to fall by the wayside over the years are reevaluating how they handle data and electronic systems. It may seem like a complicated topic, and that a team of highly-skilled IT professionals are required to achieve compliance, but neither of these things are the case. While compliance can be difficult, often all it takes is hiring an external organization to reach that level. As for complexity, it is possible and indeed vital that top-level leadership in health organizations understands how regulatory compliance will affect them.
Healthcare compliance is evaluated along three axes: legal, ethical, and professional. Standards for all three should be up to date, with policies in place to enforce them throughout an organization. They should focus on procedures that employees need to follow, metrics of success, and ways to monitor possible issues to be corrected.
As far as enforcing compliance goes, a number of agencies are actually responsible, depending on the nature of compliance. The Department of Health and Human Services and the Office for Civil Rights are primarily responsible for monitoring patient records and ensure that they are all protected according to HIPAA standards. In a similar manner, The Centers for Medicare and Medicaid Services address electronic health records as their nature changes and write many of the rules for healthcare compliance. Finally, the Office of the National Coordinator for Health Information Technology moves organizations safely away from paper and toward digital records, encouraging information exchange in a safe and compliant manner. All of these organizations and more have published guides to the best ways to protect data and achieve compliance.
In organizations themselves, everyone is responsible for compliance. However, the burden of educating others and securing an organization’s compliance certifications falls to a compliance officer, often a Chief Compliance Officer (CCO) in a larger organization. Certifications are varied, but the four most common are for healthcare, research, privacy, and ethics. However, just gaining these is not enough—a CCO will have to maintain these standards and become re-certified at regular intervals.
In truth, these certifications are only really helpful for an organization if it has a significant number of them—the four previously listed, at the very least. Each one deals with a different facet of compliance, but the elements of education, reassessment, and discipline common to regulation as a whole are relevant in their own ways.
Another misconception about regulatory compliance is that it is interchangeable with cybersecurity. While it’s true that good cybersecurity is more necessary in healthcare than most other industries, these practices don’t always conform to compliance standards. The reverse is also true—compliance does not necessarily fix vulnerabilities. The same professional should not be responsible for both, as considerations are different and keeping abreast of both is a difficult task. However, both officers should be in frequent contact to ensure that nothing that they are doing adversely affects the other.
And, above all else, executives should not be afraid to solicit outside help! Third-party organizations are often crucial to providing an objective assessment of how an organization can achieve effective compliance. Plans should be scalable and account for future developments, as regulations will always change. However, with good communication and the help of skilled professionals, healthcare organizations can find options that keep stakeholders happy and data handled properly.