Tag Archives: Compliance

EHRs and Compliance

Posted on by

Managing electronic health records, or EHRs, in a digital ecosystem takes some level of caution, given the high value of the personal information. Healthcare organizations have struggled when it comes to providing patients with their EHRs in a compliant manner. Many of these issues stem from the patients’ lack of knowledge about how to properly access these records.

As per HIPAA privacy rules, organizations are required to provide EHRs to patients upon request. In these instances, they are allowed to have them sent to a person or entity of their choosing after paying a reasonable fee.

The “reasonable” part of this requirement has been called into contention, with a patient advocacy organization reporting some patients paying hundreds of dollars for their medical records. In two instances, patients were charged a subscription fee by the organization to access medical records.

After the release of these findings, medical organizations defended the costs associated with EHR distribution. Retrieving medical records can be a surprisingly extensive process, with information pulled from multiple EHR systems, resulting in a document that can be hundreds of pages long and filled with minutiae. Additionally, much of this often needs to be trimmed to ensure that the information is only relevant to the patient the records are being distributed to.

Add in security concerns for the transfer of data, especially when requesting it from a third party, and it’s easy to see why it has proven difficult for many healthcare organizations. In several states, fees for third party requests are generally higher than those charged to patients. This is because fees for third party requests at the behest of a patient are not covered under HIPAA regulation.

Laws differ from state to state, making it important for organizations to understand how their laws determine charges for EHRs. For instance, Kentucky entitles individuals to a single free copy of their medical records.

Additional difficulty in handling EHRs is a result of inadequate patient education regarding ways to access records. Educating them on the subject is less an IT concern and more a question of how patient engagement can be leveraged to promote HIPAA compliance. New forms for both healthcare organizations and patients released by AHIMA have aimed to improve understanding of these processes.

Even just making patients aware that they have the right to access their health information is an important step toward compliance. The form was made with the intention of it being flexible across organizations, allowing them to adapt it for their needs and patients.

As more and more healthcare providers update their EHR systems in the coming years, expect to see improvements in the ways that information is both delivered and made apparent to patients. Tools that improve patient access and are HIPAA-compliant are sure to be in demand as organizations work to do away with their antiquated and unwieldy paper records.

How Transparency Can Help Compliance

Posted on by

When compliance can be complex, with many decisions occurring behind closed doors, transparency can help ease the process for anyone this affects. And, for any medical organization, the people that can be affected by a breach are widespread. From stakeholders to patients to employees, failure to comply can have far reaching consequences.

For some organizations, such as Griffin Hospital, transparency is about being as forthcoming as possible in the event of a breach. When a former employee was still able to access almost a thousand patient records in 2010, the hospital sought to both investigate the case and immediately inform any patient whose records may have been compromised.

This response, according to Griffin representatives, was their way of enforcing faith in the organization and demonstrating that they are committed to their compliance efforts. It is also a show of good faith to the patients who may have gone unaware of the breach.

However, times have changed, and while Griffin’s response was measured and diplomatic, it does not address the other ways that transparency should be used in tandem with compliance.

Of course, it is preferable for a breach to not happen at all. For any compliance initiative, it is valuable for the entire organization to be aware of what is being done and how these efforts will affect operations. In fact, any regulations that could potentially affect the organization should be elucidated, or at least made available, to its staff members.

The fact is, compliance is an ongoing process that affects how the members of an organization work and manage systems. This can be disruptive, and frustrating if individuals are not aware of the reasoning behind certain changes. This goes hand-in-hand with the idea of educating employees on best practices for compliance, as the first step to doing this should be to expound on the impact of new practices.

For patients, any information about how their private data is shared and distributed should be made available to them. As healthcare systems evolve to become more integrated between organizations, it is important to update patients on how this process will affect them. Any policies and procedures should be clearly disclosed to individuals. While data exchange can allow for a better patient experience, this should not come at the cost of transparency and compliance.

In fact, HIPAA’s Privacy Rule makes this a necessity for a compliant environment. Requirements state that organizations should strive to obtain a signed notice of privacy practices (NPP) explaining how data exchange takes place in a networked environment. The NPP should also appear in an organization’s office and on its website. This document varies by organization, but should include both details on how information will be shared as well as how it is protected.

Compliance is not something that happens behind closed doors. Rather, it’s something that should be public knowledge, both out of good faith and because it helps an organization show that it is committed to safely handling data and other electronic systems. Consider the ways that your organization is communicating with others and audit your compliance plan accordingly.

A Layman’s Guide To Achieving Compliance

Posted on by

As compliance regulations tighten for healthcare organizations, many executives that have allowed these practices to fall by the wayside over the years are reevaluating how they handle data and electronic systems. It may seem like a complicated topic, and that a team of highly-skilled IT professionals are required to achieve compliance, but neither of these things are the case. While compliance can be difficult, often all it takes is hiring an external organization to reach that level. As for complexity, it is possible and indeed vital that top-level leadership in health organizations understands how regulatory compliance will affect them.

Healthcare compliance is evaluated along three axes: legal, ethical, and professional. Standards for all three should be up to date, with policies in place to enforce them throughout an organization. They should focus on procedures that employees need to follow, metrics of success, and ways to monitor possible issues to be corrected.

As far as enforcing compliance goes, a number of agencies are actually responsible, depending on the nature of compliance. The Department of Health and Human Services and the Office for Civil Rights are primarily responsible for monitoring patient records and ensure that they are all protected according to HIPAA standards. In a similar manner, The Centers for Medicare and Medicaid Services address electronic health records as their nature changes and write many of the rules for healthcare compliance. Finally, the Office of the National Coordinator for Health Information Technology moves organizations safely away from paper and toward digital records, encouraging information exchange in a safe and compliant manner. All of these organizations and more have published guides to the best ways to protect data and achieve compliance.

In organizations themselves, everyone is responsible for compliance. However, the burden of educating others and securing an organization’s compliance certifications falls to a compliance officer, often a Chief Compliance Officer (CCO) in a larger organization. Certifications are varied, but the four most common are for healthcare, research, privacy, and ethics. However, just gaining these is not enough—a CCO will have to maintain these standards and become re-certified at regular intervals.

In truth, these certifications are only really helpful for an organization if it has a significant number of them—the four previously listed, at the very least. Each one deals with a different facet of compliance, but the elements of education, reassessment, and discipline common to regulation as a whole are relevant in their own ways.

Another misconception about regulatory compliance is that it is interchangeable with cybersecurity. While it’s true that good cybersecurity is more necessary in healthcare than most other industries, these practices don’t always conform to compliance standards. The reverse is also true—compliance does not necessarily fix vulnerabilities. The same professional should not be responsible for both, as considerations are different and keeping abreast of both is a difficult task. However, both officers should be in frequent contact to ensure that nothing that they are doing adversely affects the other.

And, above all else, executives should not be afraid to solicit outside help! Third-party organizations are often crucial to providing an objective assessment of how an organization can achieve effective compliance. Plans should be scalable and account for future developments, as regulations will always change. However, with good communication and the help of skilled professionals, healthcare organizations can find options that keep stakeholders happy and data handled properly.

Pillars of a Strong Compliance Culture

Posted on by

While professionals in a variety of industries have strived to adapt to changing regulatory standards, getting an entire company on board is a far different matter. Compliance officers have taken it upon themselves to become well-informed about the subject matter and the near-constant barrage of changes that affects it.

That said, a compliance officer trying to single-handedly bring a business up to regulatory standards is akin to trying to extinguish a fire with an eyedropper. Even if one person tries to implement all of the changes necessary, they are, in fact, only one person. Not only does the entire team need to get involved, but the entire team needs to be invested as well. Education is only effective if employees are willing to put operations in practice and audit their own behavior. Getting them to care is perhaps one of the greatest challenges a compliance professional faces.

For any compliance program, the first step to making it relevant is to start a program that has been tested with other industries. While compliance is certainly necessary to obey the law, it also confers other benefits and allows a company to stay competitive. If a firm is able to comply particularly well, it can even strive to obtain a HITRUST certification and distinguish themselves further.

Once a company has established industry best practices, it’s time to look at how personnel are trained to achieve compliance. Training is a good first step, but compliance officers must find a way to engage employees effectively. The good news is that processes that lead to good compliance can also lead to increased productivity for employees. Try to simplify workflows and eliminate tasks that lead to possible compliance issues. Employees will be more supportive of changes if they feel that they benefit from them as well.

And employees should be incentivized for practicing good compliance. Establish both good compliance practices and well-defined rewards for following them. Structure any incentive to fit into the everyday workflow of employees and make them aware of how they can contribute.

Organization is also key. Data should not just be kept safe, it should be sequestered and stratified as needed. Whether digital or traditional, part of compliance culture should cover the way data is handled, backed up, and disposed of. Still, this is something that every employee has to be a part of, from c-suite executives right down to new hires. Don’t start a training program meant to elucidate the finer points of data safety and then not follow it up with anything.

Each employee may need a specialized approach to compliance. While anybody can fall victim to something like a phishing scheme, differences in data access means that a selection of training programs and follow-ups is necessary to cover common issues. Tailoring these initiatives to risk levels helps a company create an experience unique and relevant to everyone.

A skilled compliance officer can change the course of an organization through creating a culture based on compliance. Even as companies scramble to keep up with new regulatory environments, many are realizing that making these changes sooner rather than later can have a lasting impact and generate a significant competitive advantage.

Innovate and Comply: The Dual Frontiers of Healthcare Tech

Posted on by

In many ways, new compliance standards are a blessing in disguise for healthcare organizations. While HIPAA and others like it may initially seem limiting, forcing a care provider to shake up their infrastructure, it also gives them the opportunity to pursue other options in IT management and create scalable, secure systems that will serve them for years to come.

However, like any good frontier, innovation is fraught with danger. New technologies meant to improve aspects of healthcare such as patient data also open up new avenues of attack and new challenges to achieving compliance. We are at a point where these changes are necessary, but a balance must be struck to ensure that an organization is not waylaid while experimenting. There’s a lot at stake, but better options for healthcare organizations in IT makes it a bit easier to pursue improvements.

This is the unfortunate reality of technology in healthcare. Due diligence—particularly when handling sensitive information—is necessary, even if it slows down the speed of innovation. The risk of physical harm looms over healthcare systems as well. After all, if a monitoring device stops working, how will the already beleaguered doctors and nurses know to respond?

Even more concerning is the number of carers that believe that their security and compliance measures are up to snuff, even if many are not considered compliant. A lack of knowledge about modern standards and unknown gaps in data security both contribute to this figure.

This illustrates the need for healthcare organizations to bring in outside help—specialized auditors are often able to both identify weaknesses and give an organization the sense of what they can build on to deliver a better experience to their patients. It may be another cost an organization has to contend with, but the very real risk of endangering patient lives makes it very much worth it.

But when it comes to moving forward while staying secure, it turns out that it is wholly possible to work with solutions that are still HIPAA compliant. There’s no one segment that innovation is centered around—the beauty of this new frontier is that any healthcare organization with some savvy can start projects that will benefit them for years to come. However, any care provider should be aware of all of the strictures affecting them before they begin; for instance, an international company may need to comply with EU and HIPAA regulations.

If there’s one thing to take away from this shift, it’s that organizations should take the opportunity to improve rather than simply comply. The antiquity of many infrastructure elements means that they will likely need to make sweeping changes if they haven’t been keeping current. Tools such as cloud infrastructure, wearable technology, and better patient-side systems can all revolutionize the way a care facility functions. It all comes down to analyses of patient and employee needs to figure out which solutions will make the biggest impact.

There is no reason that healthcare organizations should have to choose between compliance and innovation, but they should still learn to do both safely. There’s a lot of work that goes into both, but new HIPAA regulations mean that organizations will need to make changes one way or another—and they may as well put in work that will lead to better outcomes for their patients.