When compliance can be complex, with many decisions occurring behind closed doors, transparency can help ease the process for anyone this affects. And, for any medical organization, the people that can be affected by a breach are widespread. From stakeholders to patients to employees, failure to comply can have far reaching consequences.
For some organizations, such as Griffin Hospital, transparency is about being as forthcoming as possible in the event of a breach. When a former employee was still able to access almost a thousand patient records in 2010, the hospital sought to both investigate the case and immediately inform any patient whose records may have been compromised.
This response, according to Griffin representatives, was their way of enforcing faith in the organization and demonstrating that they are committed to their compliance efforts. It is also a show of good faith to the patients who may have gone unaware of the breach.
However, times have changed, and while Griffin’s response was measured and diplomatic, it does not address the other ways that transparency should be used in tandem with compliance.
Of course, it is preferable for a breach to not happen at all. For any compliance initiative, it is valuable for the entire organization to be aware of what is being done and how these efforts will affect operations. In fact, any regulations that could potentially affect the organization should be elucidated, or at least made available, to its staff members.
The fact is, compliance is an ongoing process that affects how the members of an organization work and manage systems. This can be disruptive, and frustrating if individuals are not aware of the reasoning behind certain changes. This goes hand-in-hand with the idea of educating employees on best practices for compliance, as the first step to doing this should be to expound on the impact of new practices.
For patients, any information about how their private data is shared and distributed should be made available to them. As healthcare systems evolve to become more integrated between organizations, it is important to update patients on how this process will affect them. Any policies and procedures should be clearly disclosed to individuals. While data exchange can allow for a better patient experience, this should not come at the cost of transparency and compliance.
In fact, HIPAA’s Privacy Rule makes this a necessity for a compliant environment. Requirements state that organizations should strive to obtain a signed notice of privacy practices (NPP) explaining how data exchange takes place in a networked environment. The NPP should also appear in an organization’s office and on its website. This document varies by organization, but should include both details on how information will be shared as well as how it is protected.
Compliance is not something that happens behind closed doors. Rather, it’s something that should be public knowledge, both out of good faith and because it helps an organization show that it is committed to safely handling data and other electronic systems. Consider the ways that your organization is communicating with others and audit your compliance plan accordingly.