Regulatory Issues Healthy, wealthy and wise
The impact of regulatory compliance on patient relationships. By Dan Gregory
ealthcare professionals are routinely confronted with a frustrating irony: The measures they take to satisfy compliance regulations and protect patients can also create more patient worry as a result of heightened awareness of the vulnerabilities that make these regulations necessary. To overcome this obstacle, and to accomplish the goals of providing suffi cient due diligence to meet industry standards while also providing a safe, secure environment for pa- tients, it is necessary to gain a thorough understanding of the IT solutions that will optimally accommodate these require- ments. The best way to ease the minds of healthcare providers’
Dan Gregory is practice manager of IT governance, risk and compliance for Michigan- based Creative Breakthroughs. For more on Creative Breakthroughs solutions: www.rsleads.com/201ht-219
customers – their patients – is to design and implement rigorous and sustainable data security and IT compliance practices. From driver’s licenses and credit cards to insurance and medical data, the information we provide to medical profession- als is some of the most private information we possess. Patients pass that information along – often when they are under stress or duress – without giving it a second thought. It is incumbent upon hospitals and healthcare providers to not only satisfy the relevant regulatory requirements, but to also fulfi ll the implied covenant that comes from handling such sensitive information. The ability to assure patients who express concern that their information will be processed through the system in a manner that safeguards their identity, privacy and fi nancial security is critical for any medical facility.
The best way to do so is to put systems in place that satisfy the standards of a lean IT environment: effi cient and effective systems that do the job without excess complexity. Those systems are made up of two broad categories: technical mea- sures, such as servers, software and fi rewalls; and non-technical, personnel-related measures, such as processes, policies and procedures. It is the latter category that is often overlooked, which is problematic because the breakdowns in policy and avoidable mistakes lead to the biggest security vulnerabilities. Healthcare providers should be devoting more time and re- sources to improving the stringent human-centric policies that optimize information security, as well as investing in education, training and monitoring needed to ensure that those policies and procedures remain current and effective. Healthcare providers often focus too much on the security systems and monitoring that pertains to up-front processing at
the expense of other exposed areas. Using a secure credit card processing system is certainly important, but there are far more worrisome – and less visible – places where security should be tightened. Consider the physical security of payment forms, and think about the policies and procedures in place to protect them. Who sees that information? Where are those documents stored? Determine if both hard copies and digital or electronic copies are secure. Are there backups? Is the data encrypted? What about long-term storage of information? These are all critical questions, and the answers cannot be “maybes.” Airtight policies and procedures are designed to avoid shortcuts, eradicate bad habits and eliminate avoidable mistakes. Approximately 75 to 80 percent of all information security prob- lems are people related. Technology is not perfect, but people are the weakest link. It is for that reason that security audits pay particular attention to policies and procedures, including tracking and monitoring protocols that assess effi cacy. It is also important that the technological framework and the policy-related human security elements reinforce one another, creating redundan- cies between the hardware, software and “human ware” of the information security safety net. Finally, remember to put mechanisms in place to facilitate ongoing enforcement, improve- ment and training. A permanent committee might be the best way to discuss and respond to evolving regulatory standards, to determine if there are realistic and effective training programs in place to keep employees current on the latest procedures, and to ensure that the provider maintains an effective, sustainable and realistic application of new technologies. With countless regulations in place – JCAHO, HIPAA and the like – healthcare is one of the most complex and highly regulated industries. One of the advantages of establishing a strong framework of lean IT with rigorous policies and proce- dures is that healthcare providers are well positioned to respond to an always-evolving regulatory landscape. The current transi- tion within the industry to new standards under the Health Information Technology for Economic and Clinical Health Act (HITECH) is a clear example of this dynamic in action. As medical professionals work to integrate new electronic health records and secure electronic health information exchanges in order to meet new standards and qualify for incentive payments, they fi nd themselves working to meet meaningful-use objectives that are perfectly aligned with robust and effi cient information security: complete and accurate information, better access to information and patient empowerment; proof positive that well- designed security systems today can pay signifi cant and lasting dividends.
HMT HEALTH MANAGEMENT TECHNOLOGY January 2012 21