HIPAA regulation: The challenge of integrating compliance and patient care



Similar documents
A study of the role of communications in population health management: Perspectives from across the care continuum

PerfectServe Survey Results. Presented by: Nielsen Consumer Insights Public Relations Research April 2015

The HIPAA Omnibus Final Rule

Achieving Meaningful Use in Private Practice. A close examination of Stage 2 requirements

Escalating volume for practice

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

BEYOND THE EHR MEANINGFUL USE, CONTENT MANAGEMENT AND BUSINESS INTELLIGENCE

THE ACTIVELY CONNECTED PHYSICIAN

Stage 2 Meaningful Use What the Future Holds. Lindsey Wiley, MHA HIT Manager Oklahoma Foundation for Medical Quality

Healthcare Insurance Portability & Accountability Act (HIPAA)

RSA SECURE WEB ACCESS FOR HEALTHCARE ENVIRONMENTS

The basics of Health Information Technology

Meaningful Use Stage 2 Deciphered

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Four-step plan for HIPAA-compliant electronic communications. A road map for secure clinical communications

The now tips, the how tools, and the must timing for your MU path in 2014.

Telemedicine: Opportunities and Challenges

Medweb Telemedicine 667 Folsom Street, San Francisco, CA Phone: Fax:

Meaningful Use Stage 2:

IT S TIME! PRIMARIS EHR SOLUTION. Benefits of Operational Efficiency. Why Primaris?

Meaningful Use and Security Risk Analysis

provide funding as an incentive to

A First Look at Attitudes Surrounding Telehealth:

Bridging the HIPAA/HITECH Compliance Gap

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

hospitals within a hospital system for other payment purposes and could easily do so for this program as well.

Medicaid EHR Incentive Program Dentists as Eligible Professionals. Kim Davis-Allen, Outreach Coordinator

NHCHC Meaningful Use of Electronic Health Records Resource Catalogue. Meaningful Use Overview

HIPAA and HITECH Compliance for Cloud Applications

Securing Electronic Health Records (EHRs) to Achieve Meaningful Use Compliance, Prevent Data Theft and Fraud

SOLUTION BRIEF SEPTEMBER Healthcare Security Solutions: Protecting your Organization, Patients, and Information

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Unified Patient Information Management Improving the Way Patient Data is Accessed, Exchanged and Managed

CA Technologies Healthcare security solutions:

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

UPDATE ON THE ADOPTION OF HEALTH INFORMATION TECHNOLOGY AND RELATED EFFORTS TO FACILITATE THE ELECTRONIC USE AND EXCHANGE OF HEALTH INFORMATION

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

LOOKING FORWARD TO STAGE 2 MEANINGFUL USE Louisiana HIPAA & EHR Conference Presenter: Kathleen Keeley

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

Ways to Maximize the Use of Your EHR A Strategic Approach to EHR Utilization

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

CMS Proposed Electronic Health Record Incentive Program For Physicians

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

Meaningful Use Stage 2. Meeting Meaningful Use Stage 2 with InstantPHR TM.

Can CA Information Governance help us protect and manage our information throughout its life cycle and reduce our risk exposure?

Re: Medicare and Medicaid Programs; Electronic Health Record Incentive Program Modifications to Meaningful Use in 2015 through 2017; Proposed Rule

E Z BIS ELECTRONIC HEALTH RECORDS

April 3, Re: Request for Comment: ONC Interoperability Roadmap. Dear Dr. DeSalvo:

Health Information Technology in Healthcare: Frequently Asked Questions (FAQ) 1

T h e M A RY L A ND HEALTH CARE COMMISSION

Rhode Island HIT Survey: 2015 Results and Trends. September 2015

DIVURGENT S ACORM FRAMEWORK

Document Imaging Solutions. The secure exchange of protected health information.

3/9/2011 ELECTRONIC HEALTH RECORDS: A NATIONAL PRIORITY. Mandate for electronic health records is tied to:

The CIO s Guide to HIPAA Compliant Text Messaging

CMS Physician Quality Reporting Programs Strategic Vision

How Real-Time Data Integration is Changing the Face of Healthcare IT

Patient Relationship Management

Participation Agreement Medicaid Provider Program

MDeverywhere, Inc. Presents 2014 CMS EHR Incentive Program Requirements: What Providers Need To Know

Guide To Meaningful Use

How To Prepare For A Patient Care System

Best Practices in HIPAA Security Risk Assessments

Karen DeSalvo, M.D., M.P.H., M.Sc. May 29, 2015 Page 2 of 7

E.H.R. s and Improving Patient Safety - What Has Been the Real Impact?

ACCOUNTABLE CARE ANALYTICS: DEVELOPING A TRUSTED 360 DEGREE VIEW OF THE PATIENT

MEANINGFUL USE. Community Center Readiness Guide Additional Resource #13 Meaningful Use Implementation Tracking Tool (Template) CONTENTS:

Disclosure of Conflict of Interest

19 June

Accountable Care: Implications for Managing Health Information. Quality Healthcare Through Quality Information

Payment Adjustments & Hardship Exceptions Tipsheet for Eligible Professionals Last Updated: March 2014

How To Fix An Electronic Medical Record

ALTARUM. Modernizing Health Care: Leveraging Our Regional Extension Centers

Integration for your Health Information System

Comments to the HIT Standards Committee Implementation Workgroup Implementation Experiences Panel Monday, March 8, 2010

EHR Incentive Program & Meaningful Use

Direct Secure Messaging: Improving the Secure and Interoperable Exchange of Health Information

Mark Anderson, FHIMSS, CPHIMSS Healthcare IT Futurist

Wireless and Mobile Technologies for Healthcare: Ensuring Privacy, Security, and Availability

the healthcare industry through mobility

The Electronic Health Record in Private Practice

Meaningful Use Rules Proposed for Electronic Health Record Incentives Under HITECH Act By: Cherilyn G. Murer, JD, CRA

MEANINGFUL USE STAGE FOR ELIGIBLE PROVIDERS USING CERTIFIED EMR TECHNOLOGY

APTA and Meaningful Use of HIT

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

24/7 Uptime for Electronic Health Records: Microsoft Windows-based EHRs and Stratus Medical Grade Servers. Healthcare

1900 K St. NW Washington, DC c/o McKenna Long

Good Shepherd Medical Center Device Connectivity Case Study

The Impact of HIPAA and HITECH

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

New Business and Investment Opportunities Emerging from Population Health Management (PHM)

HITRUST CSF Assurance Program

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

5 Steps to Success with Stage 2 Meaningful Use

Privacy and Security: Meaningful Use in Healthcare Organizations

LSF HEALTH SYSTEMS Information Technology Plan

I n t e r S y S t e m S W h I t e P a P e r F O R H E A L T H C A R E IT E X E C U T I V E S. In accountable care

The Evolving Nature of Accountable Care. Results from the 2015 ACO Survey

ehealth Pod Pilot Program Challenges I. Identifying Challenges for Providers Not Participating in the Pilot

Transcription:

HIPAA regulation: The challenge of integrating compliance and patient care January 2016

Contents Introduction 3 HIPAA s technology neutral structure 3 creates opportunity and challenge Compliance can pave the way for meaningful use 4 Clinician communication varies and is expanding into new modes 6 Current strategies leave room for improvement 8 Unified care team collaboration platforms are underutilized 10 Sources 11 perfectserve.com 866.844.5484 @PerfectServe Published as a source of information only. The material contained herein is not to be construed as legal advice or opinion. 2016 PerfectServe, Inc. All rights reserved. PerfectServe is a registered trademark and PerfectServe Synchrony and Problem Solved are trademarks of PerfectServe, Inc. 2

Introduction The expansion of communication technology within healthcare organizations involves great promise and great risk. Keeping information flowing and the right people connected at the right time creates potential for more effective patient care and population health management. But a greater number of moving parts also means greater risk. With personal health data moving at greater frequency through an increasing variety of digital channels, the complexity of communicating in a secure manner as mandated by HIPAA regulations is on the rise, as is the risk to the confidentiality and integrity of patient data. While the complexities of compliance and the penalties for breaches are daunting, the true challenge of HIPAA regulations for healthcare organizations is to integrate security compliance into their overall goals of providing high-quality individual patient care and improving population health management. Secure communication is mandatory and vital for patient confidentiality, but it is not intended to be a barrier to high-quality, efficient care. In fact, HIPAA regulations are intended to mesh with and provide a foundation for the kind of proper, efficient exchange of information that grounds new models of collaborative care. HIPAA s core mandate is threefold: confidentiality, integrity and availability. Getting HIPAA compliance right means greater communication and, ultimately, a positive impact on patient care. To make this happen, healthcare organizations need to assess how their members communicate, building compliance into the model in ways that enhance workflow. Finding secure ways to encourage and streamline the flow of information can align the need for HIPAA compliance with the trend toward greater collaboration and the goal of better patient care. HIPAA s technology neutral structure creates opportunity and challenge HIPAA Security Rule regulations require all covered entities to subject their policies, procedures and technical infrastructure to ongoing risk analysis and to implement a comprehensive strategy to ensure confidentiality, integrity and availability of electronic personal health information (ephi), however and whenever it is stored or communicated. 3

Any method of communicating ephi must, under the Security Rule, meet technical standards for Access Controls, Audit Controls, Integrity, Person or Entity Authentication and Transmission Security. However, the law does not regulate or provide guidance on the specific technologies health organizations may use to store and communicate ephi. The law is intentionally technology neutral; it does not prescribe or restrict storage or communication methods it only mandates that they meet security standards in these areas. For healthcare organizations, this is good news. The law does not restrict methods of communication or specify use of technologies that are continually becoming outdated. This encourages flexibility and innovation, as new ways of communicating can fuel new ways of coordinating care. The law permits individual organizations to assess and adopt the technologies they feel will best serve their overall goals and structure. However, this flexibility also comes at a price. The burden falls on healthcare organizations to structure their communication strategies, proactively vetting and choosing technologies that fit in with overall healthcare goals. They also must ensure that every aspect of the way they handle sensitive personal health information is secure every method of communication, every device, every software platform, every network. As methods of communication change and proliferate, the task becomes larger and more complex, requiring greater strategic planning and more organizational resources. Compliance can pave the way for meaningful use Facing this challenge, organizations may simply focus on or feel overwhelmed by the technical complexity of bringing their communications into compliance losing sight of a larger potential. The flexibility within the Security Rule is essential to achieving its third core tenet: availability of information. The ability to store and transmit data securely means that it can be shared among all those on the care team keeping the right people informed in a timely manner. According to the Department of Health and Human Services, permitting the appropriate access and use of that information, ultimately promotes the use of electronic health information in the industry an important goal 4

of HIPAA. 1 Security compliance actually encourages the exchange of information that can bring about greater efficiencies and better outcomes in our healthcare model. The intent to dovetail compliance with coordination improvements is exemplified in the push to encourage meaningful use of electronic health records (EHRs). Starting in 2011, the Centers for Medicare & Medicaid Services (CMS) began administering an incentive program to promote the transition to electronic health record systems. The goals of this program are not only to solidify patient data security but also to enhance the ability of healthcare organizations to use that data in meaningful ways. Securing data in compliance with HIPAA regulation through an EHR can not only maintain privacy and security of patient health information, but also enable healthcare organizations to improve quality, safety, [and] efficiency, and reduce health disparities; engage patients and family; [and] improve care coordination, and population and public health. 2 While related to a single aspect (EHRs) of the data storage and communication technologies covered by the Security Rule, the meaningful use program crystalizes the potential that secure communication systems hold. The ability to store and communicate data securely means the ability to use that data responsibly and creatively to improve delivery of quality healthcare for individual patients and system-wide. The stages of a meaningful use EHR program defined by CMS [Table 1] show how such technical advances could have far-reaching effects on many aspects of our healthcare system, from public health initiatives to greater engagement of patients and families in their own care. Ultimately, it is hoped that meaningful use of HIPAA-compliant technologies will result in: Better clinical outcomes Improved population health outcomes Increased transparency and efficiency Empowered individuals More robust research data on health systems 3 This vision depends, however, on systems that can meet the technical 5

security standards required by HIPAA, and streamline workflow and improve clinician communication. Table 1 Source: www.healthit.gov/providersprofessionals/how-attain-meaningful-use Stage 1: Meaningful use criteria focus on: Stage 2: Meaningful use criteria focus on: Stage 3: Meaningful use criteria focus on: Electronically capturing health information in a standardized format More rigorous health information exchange (HIE) Improving quality, safety and efficiency, leading to improved health outcomes Using that information to track key clinical conditions Increased requirements for e-prescribing and incorporating lab results Decision support for national high-priority conditions Communicating that information for care coordination processes Electronic transmission of patient care summaries across multiple settings Patient access to self-management tools Initiating the reporting of clinical quality measures and public health information More patientcontrolled data Access to comprehensive patient data through patientcentered HIE Using information to engage patients and their families in their care Improving population health Clinician communication varies and is expanding into new modes The challenge of finding the best HIPAA-compliant communication strategies is particularly pressing as, in the search to improve patient care through clinician coordination and patient communication, healthcare organizations are increasingly relying on a complex, often ad hoc, array of technologies and communication platforms. The current workflow and communication model is high-volume and intricate. Clinicians coordinate care within networks and with external partners using a host of devices and applications, generating a high 6

volume of contacts. In an analysis of PerfectServe data from three hospitals, representing an aggregate of 774 beds and 54,000 annual admissions, clinicians initiated more than 680,000 calls and messages to approximately 900 physicians annually. In a recent online study conducted by Harris Poll on behalf of PerfectServe among various healthcare professionals, data further reveals the intricacy of the system. Phone calls, text messages, email, EHRs, locating an individual for a face-to-face conversation all are used with varying frequency according to the preferences of the individual clinician, the type and complexity of information sought, and whether the recipient of the message is within the clinician s organization or is an outside partner. 4 Recent data also indicates that multiple platforms rather than a unified system is the norm: in a study of nearly one thousand healthcare professionals, 69% indicate their organization uses multiple applications and technologies for secure communication. 5 An organization must account for all of these methods in assessing risk to patient data and must ensure that all methods meet the security standards set by HIPAA. Additionally, health organizations are using an ever broader and more technically complex system of communications to optimize population health management [Table 2]. These methods serve to improve quality and availability of care, but also rely on the transmission of patient data. More contacts and more methods of communication between clinicians and their patients mean more points at which that health data could be vulnerable and more systems to bring into compliance. 7

Follow-up patient phone calls 83% 10% Online patient portals 74% 16% Unified secure communication platform Patient text reminders/updates Telemedicine Remote coordinations Remote monitoring Mobile care team communications Video conferencing 46% 41% 39% 36% 32% 32% 36% 25% 26% 22% 24% 25% 24% 19% Remote consults 31% 23% 0% 20% 40% 60% 80% 100% Currently use Plan to use within the next 12 months Table 2 Source: Harris Poll, April 2015 Q920: Which of the following technologies does your organization currently use or plan to use within the next 12 months to optimize population health management? Thus, the reality of how clinicians communicate creates a maze of communication technologies for healthcare organizations to submit to risk analysis and bring up to security standards. As healthcare organizations continue to embrace collaboration and the breadth of communication technologies that make it possible, HIPAA compliance will only become more complex. Base: All Qualified Respondents (n=955) Current strategies leave room for improvement How successful are health organizations in meeting this challenge? Studies show that while most healthcare organizations are prioritizing data security, current strategies leave significant frustration and room for improvement both in compliance strategies themselves and in the integration of compliance with improved workflow. Organizations have HIPAA-compliance risk mitigation strategies in place and many are working to improve them in the wake of recent data breaches. A recent survey shows the vast majority work in a group that 8

84% Indicate their health organization has a risk mitigation plan for HIPAA 46% Say their health organization has instituted security measures in response to news of 2014 healthcare data breaches 61% Agree that HIPAA regulations pose an obstacle to efficient communication and collaboration within the care team has an official risk mitigation strategy, and 4 out of 5 (83%) believe that secure communication is a top priority for their organization; nearly half indicate their group has made changes to that plan in light of recent prominent data breaches. 6 But the solutions most rely on are not ideal. Despite the overall emphasis on security and level of organizational commitment, frustration and dissatisfaction exist with methods of secure communication, patient data is still being transmitted in unsecure ways, and barriers to communication are impacting patient care. The recent survey indicates that: For most, the strategies necessary for compliance have not been neatly integrated into their workflow: 61% feel that HIPAA regulations pose an obstacle to efficient communications and collaboration within their care team. Compliance is a priority, but the tools available are not always up to the task: nearly 3 in 10 (29%) are dissatisfied with the secure communication technology in their organization s current strategy. Despite efforts, the failure of healthcare organizations to create a unified, complete system is the primary source of frustration: the most commonly cited reasons for dissatisfaction are the variance in communication technologies used by different members of the organization (68%) and the failure to have secure communication accessible to all members of the organization (55%). Lack of uniformity in the system and universal access to all team members are much stronger factors in dissatisfaction even than technical deficiencies such as outdated, unreliable software or programs that are complicated to use. When a web of disparate technologies is in place and not everyone is included in the same system of communication, collaboration and efficient patient care face a hurdle: 7 in 10 clinicians (69%) indicate that patient care is often delayed while they wait for information about a patient. 7 The gaps in an organization s strategy can also lead to failures in compliance, leaving patient health information vulnerable to exposure or corruption. Despite the emphasis on communication security and 9

the strategies in place, 13% of healthcare professionals admit that, in order to facilitate patient care, they have sent patient health information through unsecure text or voice messages with their personal smart phone in the past year, and 21% acknowledge having received unsecure communications from colleagues via the same manner for this purpose. 8 While breaches occur for many reasons, the majority can be traced to inadequately planned processes and tools organizations develop internally to manage this complicated landscape. A 2015 Ponemon Institute study of ephi security breaches indicates that the underlying causes of these breakdowns are most often an ad hoc process (34%) or a manual process or tool developed by the organization itself (27%). Incidents traced to an automated process or third-party software occur at a much lower rate (13%). 9 Unified care team collaboration platforms are underutilized For healthcare organizations that are increasingly embracing more collaborative care models and the technologies that make care more accessible and efficient, the answer to HIPAA compliance must focus simultaneously on data security and availability. In a world of rapidly expanding communication methods and applications, points at which the communication model can be streamlined as well as secured can reduce the burden of ongoing risk management on organizations. A unified care team collaboration platform can help organizations simplify their risk management strategy, relying on a single integrated system rather than tracking and juggling multiple systems. It can also ameliorate the two main causes of dissatisfaction with secure communication within healthcare organizations: not all members using the same technologies and not all members having access to secure communication technology. However, this strategy is not being as widely implemented as it could be, with nearly 7 in 10 (69%) healthcare professionals reporting that their organization deals with multiple technologies rather than one unified platform. As organizations review and work to improve their risk management strategies, a unified communications platform can be an important piece of the move toward integrating HIPAA compliance with the best patient care and population health management possible. 10

Sources 1. Security 101 for Covered Entities. HIPAA Security Series: Volume 2, Paper 1. Department of Health and Human Services. 2007. Available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ securityruleguidance.html. 2. https://www.healthit.gov/providers-professionals/meaningful-usedefinition-objectives. Accessed December 7, 2015. 3. https://www.healthit.gov/providers-professionals/meaningful-usedefinition-objectives. Accessed December 7, 2015. 4. PerfectServe Survey Results, April 2015. Harris Poll. The PerfectServe survey was conducted online by Harris Poll on behalf of PerfectServe between February 12 and March 6, 2015. The research was conducted among 955 medical professionals in the following occupations: hospitalist (n=150), primary care physician in an office (n=150), specialist physician in a hospital (n=102), specialist physician in an office (n=101), hospital administrator (n=170), office manager/practice administrator* (n=81), nurse in a hospital (n=101) and case manager (n=100). Office-based respondents work in an office with 25 or more physicians. Hospital-based respondents work in a hospital with 200 or more beds. Physician respondents are duly licensed in the state where they practice. Data were not weighted and are only representative of those who completed the survey. *Nine office managers/practice administrators work in an office with fewer than 25 physicians. When referring to this study, clinicians indicates a subset of respondents excluding administrators. The subset includes hospitalist (n=150); PCP office (n=150); specialty physician, hospital (n=102); specialty physician, office (n=101); nurse, hospital (n=101); and case manager (n=100), for a total base of n=704. 5. PerfectServe Survey Results, April 2015. Harris Poll. 6. PerfectServe Survey Results, April 2015. Harris Poll. 7. PerfectServe Survey Results, April 2015. Harris Poll. 11

8. PerfectServe Survey Results, April 2015. Harris Poll. 9. Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2015. Available at http://www.ponemon.org/library/fifth-annual-benchmark-study-onprivacy-security-of-healthcare-data. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information