Healthy, wealthy and wise
By Dan Gregory, January 2012
The impact of regulatory compliance on patient relationships.
Healthcare professionals are routinely confronted with a frustrating irony: The measures they take to satisfy compliance regulations and protect patients can also create more patient worry as a result of heightened awareness of the vulnerabilities that make these regulations necessary.
To overcome this obstacle, and to accomplish the goals of providing sufficient due diligence to meet industry standards while also providing a safe, secure environment for patients, it is necessary to gain a thorough understanding of the IT solutions that will optimally accommodate these requirements. The best way to ease the minds of healthcare providers’ customers – their patients – is to design and implement rigorous and sustainable data security and IT compliance practices.
From driver’s licenses and credit cards to insurance and medical data, the information we provide to medical professionals is some of the most private information we possess. Patients pass that information along – often when they are under stress or duress – without giving it a second thought. It is incumbent upon hospitals and healthcare providers to not only satisfy the relevant regulatory requirements, but to also fulfill the implied covenant that comes from handling such sensitive information. The ability to assure patients who express concern that their information will be processed through the system in a manner that safeguards their identity, privacy and financial security is critical for any medical facility.
The best way to do so is to put systems in place that satisfy the standards of a lean IT environment: efficient and effective systems that do the job without excess complexity. Those systems are made up of two broad categories: technical measures, such as servers, software and firewalls; and non-technical, personnel-related measures, such as processes, policies and procedures. It is the latter category that is often overlooked, which is problematic because the breakdowns in policy and avoidable mistakes lead to the biggest security vulnerabilities. Healthcare providers should be devoting more time and resources to improving the stringent human-centric policies that optimize information security, as well as investing in education, training and monitoring needed to ensure that those policies and procedures remain current and effective.
Healthcare providers often focus too much on the security systems and monitoring that pertains to up-front processing at the expense of other exposed areas. Using a secure credit card processing system is certainly important, but there are far more worrisome – and less visible – places where security should be tightened. Consider the physical security of payment forms, and think about the policies and procedures in place to protect them. Who sees that information? Where are those documents stored? Determine if both hard copies and digital or electronic copies are secure. Are there backups? Is the data encrypted? What about long-term storage of information?
These are all critical questions, and the answers cannot be “maybes.” Airtight policies and procedures are designed to avoid shortcuts, eradicate bad habits and eliminate avoidable mistakes. Approximately 75 to 80 percent of all information security problems are people related. Technology is not perfect, but people are the weakest link. It is for that reason that security audits pay particular attention to policies and procedures, including tracking and monitoring protocols that assess efficacy. It is also important that the technological framework and the policy-related human security elements reinforce one another, creating redundancies between the hardware, software and “human ware” of the information security safety net. Finally, remember to put mechanisms in place to facilitate ongoing enforcement, improvement and training. A permanent committee might be the best way to discuss and respond to evolving regulatory standards, to determine if there are realistic and effective training programs in place to keep employees current on the latest procedures, and to ensure that the provider maintains an effective, sustainable and realistic application of new technologies.
With countless regulations in place – JCAHO, HIPAA and the like – healthcare is one of the most complex and highly regulated industries. One of the advantages of establishing a strong framework of lean IT with rigorous policies and procedures is that healthcare providers are well positioned to respond to an always-evolving regulatory landscape. The current transition within the industry to new standards under the Health Information Technology for Economic and Clinical Health Act (HITECH) is a clear example of this dynamic in action. As medical professionals work to integrate new electronic health records and secure electronic health information exchanges in order to meet new standards and qualify for incentive payments, they find themselves working to meet meaningful-use objectives that are perfectly aligned with robust and efficient information security: complete and accurate information, better access to information and patient empowerment; proof positive that well-designed security systems today can pay significant and lasting dividends.
About the author:
Dan Gregory is practice manager of IT governance, risk and compliance for Michigan-based Creative Breakthroughs. Click here to read more about Creative Breakthroughs.