A Layman’s Guide To Achieving Compliance

Posted on by

As compliance regulations tighten for healthcare organizations, many executives that have allowed these practices to fall by the wayside over the years are reevaluating how they handle data and electronic systems. It may seem like a complicated topic, and that a team of highly-skilled IT professionals are required to achieve compliance, but neither of these things are the case. While compliance can be difficult, often all it takes is hiring an external organization to reach that level. As for complexity, it is possible and indeed vital that top-level leadership in health organizations understands how regulatory compliance will affect them.

Healthcare compliance is evaluated along three axes: legal, ethical, and professional. Standards for all three should be up to date, with policies in place to enforce them throughout an organization. They should focus on procedures that employees need to follow, metrics of success, and ways to monitor possible issues to be corrected.

As far as enforcing compliance goes, a number of agencies are actually responsible, depending on the nature of compliance. The Department of Health and Human Services and the Office for Civil Rights are primarily responsible for monitoring patient records and ensure that they are all protected according to HIPAA standards. In a similar manner, The Centers for Medicare and Medicaid Services address electronic health records as their nature changes and write many of the rules for healthcare compliance. Finally, the Office of the National Coordinator for Health Information Technology moves organizations safely away from paper and toward digital records, encouraging information exchange in a safe and compliant manner. All of these organizations and more have published guides to the best ways to protect data and achieve compliance.

In organizations themselves, everyone is responsible for compliance. However, the burden of educating others and securing an organization’s compliance certifications falls to a compliance officer, often a Chief Compliance Officer (CCO) in a larger organization. Certifications are varied, but the four most common are for healthcare, research, privacy, and ethics. However, just gaining these is not enough—a CCO will have to maintain these standards and become re-certified at regular intervals.

In truth, these certifications are only really helpful for an organization if it has a significant number of them—the four previously listed, at the very least. Each one deals with a different facet of compliance, but the elements of education, reassessment, and discipline common to regulation as a whole are relevant in their own ways.

Another misconception about regulatory compliance is that it is interchangeable with cybersecurity. While it’s true that good cybersecurity is more necessary in healthcare than most other industries, these practices don’t always conform to compliance standards. The reverse is also true—compliance does not necessarily fix vulnerabilities. The same professional should not be responsible for both, as considerations are different and keeping abreast of both is a difficult task. However, both officers should be in frequent contact to ensure that nothing that they are doing adversely affects the other.

And, above all else, executives should not be afraid to solicit outside help! Third-party organizations are often crucial to providing an objective assessment of how an organization can achieve effective compliance. Plans should be scalable and account for future developments, as regulations will always change. However, with good communication and the help of skilled professionals, healthcare organizations can find options that keep stakeholders happy and data handled properly.

Pillars of a Strong Compliance Culture

Posted on by

While professionals in a variety of industries have strived to adapt to changing regulatory standards, getting an entire company on board is a far different matter. Compliance officers have taken it upon themselves to become well-informed about the subject matter and the near-constant barrage of changes that affects it.

That said, a compliance officer trying to single-handedly bring a business up to regulatory standards is akin to trying to extinguish a fire with an eyedropper. Even if one person tries to implement all of the changes necessary, they are, in fact, only one person. Not only does the entire team need to get involved, but the entire team needs to be invested as well. Education is only effective if employees are willing to put operations in practice and audit their own behavior. Getting them to care is perhaps one of the greatest challenges a compliance professional faces.

For any compliance program, the first step to making it relevant is to start a program that has been tested with other industries. While compliance is certainly necessary to obey the law, it also confers other benefits and allows a company to stay competitive. If a firm is able to comply particularly well, it can even strive to obtain a HITRUST certification and distinguish themselves further.

Once a company has established industry best practices, it’s time to look at how personnel are trained to achieve compliance. Training is a good first step, but compliance officers must find a way to engage employees effectively. The good news is that processes that lead to good compliance can also lead to increased productivity for employees. Try to simplify workflows and eliminate tasks that lead to possible compliance issues. Employees will be more supportive of changes if they feel that they benefit from them as well.

And employees should be incentivized for practicing good compliance. Establish both good compliance practices and well-defined rewards for following them. Structure any incentive to fit into the everyday workflow of employees and make them aware of how they can contribute.

Organization is also key. Data should not just be kept safe, it should be sequestered and stratified as needed. Whether digital or traditional, part of compliance culture should cover the way data is handled, backed up, and disposed of. Still, this is something that every employee has to be a part of, from c-suite executives right down to new hires. Don’t start a training program meant to elucidate the finer points of data safety and then not follow it up with anything.

Each employee may need a specialized approach to compliance. While anybody can fall victim to something like a phishing scheme, differences in data access means that a selection of training programs and follow-ups is necessary to cover common issues. Tailoring these initiatives to risk levels helps a company create an experience unique and relevant to everyone.

A skilled compliance officer can change the course of an organization through creating a culture based on compliance. Even as companies scramble to keep up with new regulatory environments, many are realizing that making these changes sooner rather than later can have a lasting impact and generate a significant competitive advantage.

Innovate and Comply: The Dual Frontiers of Healthcare Tech

Posted on by

In many ways, new compliance standards are a blessing in disguise for healthcare organizations. While HIPAA and others like it may initially seem limiting, forcing a care provider to shake up their infrastructure, it also gives them the opportunity to pursue other options in IT management and create scalable, secure systems that will serve them for years to come.

However, like any good frontier, innovation is fraught with danger. New technologies meant to improve aspects of healthcare such as patient data also open up new avenues of attack and new challenges to achieving compliance. We are at a point where these changes are necessary, but a balance must be struck to ensure that an organization is not waylaid while experimenting. There’s a lot at stake, but better options for healthcare organizations in IT makes it a bit easier to pursue improvements.

This is the unfortunate reality of technology in healthcare. Due diligence—particularly when handling sensitive information—is necessary, even if it slows down the speed of innovation. The risk of physical harm looms over healthcare systems as well. After all, if a monitoring device stops working, how will the already beleaguered doctors and nurses know to respond?

Even more concerning is the number of carers that believe that their security and compliance measures are up to snuff, even if many are not considered compliant. A lack of knowledge about modern standards and unknown gaps in data security both contribute to this figure.

This illustrates the need for healthcare organizations to bring in outside help—specialized auditors are often able to both identify weaknesses and give an organization the sense of what they can build on to deliver a better experience to their patients. It may be another cost an organization has to contend with, but the very real risk of endangering patient lives makes it very much worth it.

But when it comes to moving forward while staying secure, it turns out that it is wholly possible to work with solutions that are still HIPAA compliant. There’s no one segment that innovation is centered around—the beauty of this new frontier is that any healthcare organization with some savvy can start projects that will benefit them for years to come. However, any care provider should be aware of all of the strictures affecting them before they begin; for instance, an international company may need to comply with EU and HIPAA regulations.

If there’s one thing to take away from this shift, it’s that organizations should take the opportunity to improve rather than simply comply. The antiquity of many infrastructure elements means that they will likely need to make sweeping changes if they haven’t been keeping current. Tools such as cloud infrastructure, wearable technology, and better patient-side systems can all revolutionize the way a care facility functions. It all comes down to analyses of patient and employee needs to figure out which solutions will make the biggest impact.

There is no reason that healthcare organizations should have to choose between compliance and innovation, but they should still learn to do both safely. There’s a lot of work that goes into both, but new HIPAA regulations mean that organizations will need to make changes one way or another—and they may as well put in work that will lead to better outcomes for their patients.

How Data Improves Patient Health

Posted on by

Good compliance and patient engagement are two objectives in the healthcare world that converge more than one would think. Recent health trends have created patients more invested in their own health and willing to work with care providers to meet their objectives. This is outstanding for medical professionals looking to create a solid foundation for their patients and keep them as healthy as possible. However, it is all too easy to get caught up in a fad and make poor decisions, so another burgeoning aspect of patient engagement centers around correcting common misconceptions and getting individuals back on the right track.

In contrast, compliance is a process that happens beyond the perception of patients. As I’ve discussed in the past, an increase in sharing data also increases the need to secure systems and ensure that information is not compromised. However, safely giving patients access to their own data can help empower healthcare providers and patients alike.

While the mass exchange of data, both internally and to patient portals and other healthcare institutions, creates more points where it can be stolen, it also leads to opportunities to educate patients and involve them in the process. The increase in IoT wearables for patients that can track biological metrics also contributes to patient engagement as well as research. Some of these wearables, despite being an ever-present aspect of the lives of some individuals, do not provide data to the people that use them. Freeing up access to this data increases the number of ways that a patient can help sustain their own health.

This is, in many ways, the central premise of patient engagement. There is no one way to instill a desire for self-improvement in patients. The only thing that healthcare providers can do is give them the freedom and the tools to monitor their own health. Patient portals, for instance, give individuals access to their own records, allowing them to do the legwork of tracking their progress over time. Other systems may remind patients to adhere to medication schedules, or help work them through things like physical therapy.

It then falls to providers to achieve good compliance in order to safely give patients leeway to create the foundation for good health. In a competitive industry, a healthcare organization can fall behind if they do not provide a positive experience for patients—to say nothing about what can happen if compliance is not met.

These care providers stand at a crossroads, and they must decide in what ways they will innovate to improve patient outcomes. Compliance should not be a process of checking off boxes for the sake of staying in business—it should be leveraged as a strategic tool to reevaluate aging systems and promote engagement among patients. There are a plethora of other benefits as well, and savvy organizations can use compliance as an opportunity to rethink the way they conduct IT, saving costs and setting up better agility in the long term.

In short, the technology exists to help patients take control of their lives—but it’s up to organizations to adopt it in a safe way that still remains compliant. It may sound strange to some medical professionals to fixate on technology in this way, but the ideal of good patient engagement can only be reached if the systems behind it function seamlessly.

Human-Centered Design and What It Can Teach Us About Cybersecurity

Posted on by

Even with the myriad of system vulnerabilities that can open the door for cyberattacks, the biggest vulnerability in any organization is the people. One mistake among employees can lead to the compromise of entire systems, and even individuals well versed in technology are not immune to error.

In the healthcare industry, closing up these gaps is more important than in most places. In addition to financial information, a cyberattack can compromise confidential medical records and erode trust in an organization. Establishing a strong cybersecurity foundation is but one step toward achieving compliance for a care provider, and is not just about setting up basic countermeasures.

Because the human element is impossible to fully remove from any system, it comes down to organizations to both educate employees on the finer points of cybersecurity and create systems that account for human error. Additionally, any security measures implemented should minimally impact the ability of other employees to do their jobs.

Enter Human-Centered Design (HCD). A concept which underlies any product or service, HCD refers to anything created with common human behavior in mind. For cybersecurity, HCD means designing in such a way that it accounts for mistakes that anyone may make.

Inevitably, the first step to promoting good security practices is education. Staff members are far more vulnerable to making errors if they don’t know what to look for. Standard employee training programs should account for these practices, especially in conjunction with training on certain computer systems. Give them some perspective on how these attacks spread; knowing the extent to which opening a suspect email can cause problems can help employees proceed with caution.

Education should ideally go beyond a simple presentation and strive to engage employees. These sessions should allow for individual input and explain the costs of a breach. Beyond prevention, they should also be aware of steps they should take if they believe that they have been targeted or that a system has been compromised. This can involve outreach to IT departments and easy ways to contact them and make them aware of a potential problem as soon as possible.

Marin General Hospital even included a system for reporting attacks, rewarding any employee that reports a threat to IT.

As an IT professional, it can be easy to get slotted into a specific way of thinking. Tools and techniques that seem commonplace may be utterly alien to some employees. As a result, be aware of the ways that each employee interacts with a given system and strive to seamlessly integrate a solution into their daily work. For instance, setting up the infrastructure to encrypt emails can be difficult, but doing so on a limited basis based on the people that each employee interacts with the most frequently can seriously cut down on potential vulnerabilities.

Programs to bolster cybersecurity are created not only to fix technical issues, but to hedge against internal mistakes from employees. Even with hackers creating more and more advanced malware, the simplest phishing scheme can still cost an organization thousands of dollars. By designing a cybersecurity program to conform to the needs of employees, IT professionals can prevent the possibility of attacks before they can even happen.