January 2016

HIPAA regulation: The challenge of integrating

compliance and patient care

2

Contents

Introduction 3

HIPAA’s“technologyneutral”structure 3 createsopportunityandchallenge

Compliancecanpavethewayformeaningfuluse 4

Cliniciancommunicationvariesandisexpandingintonewmodes 6

Currentstrategiesleaveroomforimprovement 8

Unifiedcareteamcollaborationplatformsareunderutilized 10

Sources 11

Publishedasasourceofinformationonly.Thematerialcontained hereinisnottobeconstruedaslegaladviceoropinion.

©2016PerfectServe,Inc.Allrightsreserved.PerfectServe®isaregisteredtrademarkandPerfectServeSynchrony™andProblemSolved™aretrademarksofPerfectServe,Inc.

perfectserve.com | 866.844.5484 | @PerfectServe

3

Theexpansionofcommunicationtechnologywithinhealthcareorganizationsinvolvesgreatpromiseandgreatrisk.

Keepinginformationflowingandtherightpeopleconnectedattherighttimecreatespotentialformoreeffectivepatientcareandpopulationhealthmanagement.

Butagreaternumberofmovingpartsalsomeansgreaterrisk.Withpersonalhealthdatamovingatgreaterfrequencythroughanincreasingvarietyofdigitalchannels,thecomplexityofcommunicatinginasecuremannerasmandatedbyHIPAAregulationsisontherise,asistherisktotheconfidentialityandintegrityofpatientdata.

Whilethecomplexitiesofcompliance—andthepenaltiesforbreaches—aredaunting,thetruechallengeofHIPAAregulationsforhealthcareorganizationsistointegratesecuritycomplianceintotheiroverallgoalsofprovidinghigh-qualityindividualpatientcareandimprovingpopulationhealthmanagement.Securecommunicationismandatoryandvitalforpatientconfidentiality,butitisnotintendedtobeabarriertohigh-quality,efficientcare.

Infact,HIPAAregulationsareintendedtomeshwithandprovideafoundationforthekindofproper,efficientexchangeofinformationthatgroundsnewmodelsofcollaborativecare.HIPAA’scoremandateisthreefold:confidentiality,integrityand availability.GettingHIPAAcompliancerightmeansgreatercommunicationand,ultimately,apositiveimpactonpatientcare.Tomakethishappen,healthcareorganizationsneedtoassesshowtheirmemberscommunicate,buildingcomplianceintothemodelinwaysthatenhanceworkflow.FindingsecurewaystoencourageandstreamlinetheflowofinformationcanaligntheneedforHIPAAcompliancewiththetrendtowardgreatercollaborationandthegoalofbetterpatientcare.

HIPAASecurityRuleregulationsrequireallcoveredentitiestosubjecttheirpolicies,proceduresandtechnicalinfrastructuretoongoingriskanalysisandtoimplementacomprehensivestrategytoensureconfidentiality,integrityandavailabilityofelectronicpersonalhealthinformation(ePHI),howeverandwheneveritisstoredorcommunicated.

Introduction

HIPAA’s “technology neutral” structure

creates opportunity and challenge

4

AnymethodofcommunicatingePHImust,undertheSecurityRule,meettechnicalstandardsforAccessControls,AuditControls,Integrity,PersonorEntityAuthenticationandTransmissionSecurity.

However,thelawdoesnotregulateorprovideguidanceonthespecifictechnologieshealthorganizationsmayusetostoreandcommunicateePHI.Thelawisintentionallytechnologyneutral;itdoesnotprescribeorrestrictstorageorcommunicationmethods—itonlymandatesthattheymeetsecuritystandardsintheseareas.

Forhealthcareorganizations,thisisgoodnews.Thelawdoesnotrestrictmethodsofcommunicationorspecifyuseoftechnologiesthatarecontinuallybecomingoutdated.Thisencouragesflexibilityandinnovation,asnewwaysofcommunicatingcanfuelnewwaysofcoordinatingcare.

Thelawpermitsindividualorganizationstoassessandadoptthetechnologiestheyfeelwillbestservetheiroverallgoalsandstructure.

However,thisflexibilityalsocomesataprice.Theburdenfallsonhealthcareorganizationstostructuretheircommunicationstrategies,proactivelyvettingandchoosingtechnologiesthatfitinwithoverallhealthcaregoals.Theyalsomustensurethateveryaspectofthewaytheyhandlesensitivepersonalhealthinformationissecure—everymethodofcommunication,everydevice,everysoftwareplatform,everynetwork.Asmethodsofcommunicationchangeandproliferate,thetaskbecomeslargerandmorecomplex,requiringgreaterstrategicplanningandmoreorganizationalresources.

Facingthischallenge,organizationsmaysimplyfocusonorfeeloverwhelmedbythetechnicalcomplexityofbringingtheircommunicationsintocompliance—losingsightofalargerpotential.TheflexibilitywithintheSecurityRuleisessentialtoachievingitsthirdcoretenet: availabilityofinformation.Theabilitytostoreandtransmitdatasecurelymeansthatitcan be sharedamongallthoseonthecareteam—keepingtherightpeopleinformedinatimelymanner.AccordingtotheDepartmentofHealthandHumanServices,“permittingtheappropriateaccessanduseofthatinformation,ultimatelypromotestheuseofelectronichealthinformationintheindustry—animportantgoal

Compliance can pave the way for meaningful use

5

ofHIPAA.”1Securitycomplianceactuallyencouragestheexchangeofinformationthatcanbringaboutgreaterefficienciesandbetteroutcomesinourhealthcaremodel.

Theintenttodovetailcompliancewithcoordinationimprovementsisexemplifiedinthepushtoencourage“meaningfuluse”ofelectronichealthrecords(EHRs).Startingin2011,theCentersforMedicare&MedicaidServices(CMS)beganadministeringanincentiveprogramtopromotethetransitiontoelectronichealthrecordsystems.Thegoalsofthisprogramarenotonlytosolidifypatientdatasecuritybutalsotoenhancetheabilityofhealthcareorganizationstousethatdatainmeaningful ways. SecuringdataincompliancewithHIPAAregulationthroughanEHRcannotonly“maintainprivacyandsecurityofpatienthealthinformation,”butalsoenablehealthcareorganizationsto“improvequality,safety,[and]efficiency,andreducehealthdisparities;engagepatientsandfamily;[and]improvecarecoordination,andpopulationandpublichealth.”2

Whilerelatedtoasingleaspect(EHRs)ofthedatastorageandcommunicationtechnologiescoveredbytheSecurityRule,themeaningfuluseprogramcrystalizesthepotentialthatsecurecommunicationsystemshold.Theabilitytostoreandcommunicatedatasecurelymeanstheabilitytousethatdataresponsiblyandcreativelytoimprovedeliveryofqualityhealthcareforindividualpatientsandsystem-wide.ThestagesofameaningfuluseEHRprogramdefinedbyCMS[Table 1]showhowsuchtechnicaladvancescouldhavefar-reachingeffectsonmanyaspectsofourhealthcaresystem,frompublichealthinitiativestogreaterengagementofpatientsandfamiliesintheirowncare.

Ultimately,itishopedthatmeaningfuluseofHIPAA-complianttechnologieswillresultin:

• Betterclinicaloutcomes

• Improvedpopulationhealthoutcomes

• Increasedtransparencyandefficiency

• Empoweredindividuals

• Morerobustresearchdataonhealthsystems3

Thisvisiondepends,however,onsystemsthatcanmeetthetechnical

6

securitystandardsrequiredbyHIPAA,andstreamlineworkflowandimprovecliniciancommunication.

Stage 1: Meaningful use criteria focus on:

Stage 2: Meaningful use criteria focus on:

Stage 3: Meaningful use criteria focus on:

Electronicallycapturinghealthinformationinastandardizedformat

Morerigoroushealthinformationexchange(HIE)

Improvingquality,safetyandefficiency,leadingtoimprovedhealthoutcomes

Usingthatinformationtotrackkeyclinicalconditions

Increasedrequirementsfore-prescribingandincorporatinglabresults

Decisionsupportfornationalhigh-priorityconditions

Communicatingthatinformationforcarecoordinationprocesses

Electronictransmissionofpatientcaresummariesacrossmultiplesettings

Patientaccesstoself-managementtools

Initiatingthereportingofclinicalqualitymeasuresandpublichealthinformation

Morepatient-controlleddata

Accesstocomprehensivepatientdatathroughpatient-centeredHIE

Usinginformationtoengagepatientsandtheirfamiliesintheircare

Improvingpopulationhealth

ThechallengeoffindingthebestHIPAA-compliantcommunicationstrategiesisparticularlypressingas,inthesearchtoimprovepatientcarethroughcliniciancoordinationandpatientcommunication,healthcareorganizationsareincreasinglyrelyingonacomplex,often ad hoc,arrayoftechnologiesandcommunicationplatforms.Thecurrentworkflowandcommunicationmodelishigh-volumeandintricate.

Clinicianscoordinatecarewithinnetworksandwithexternalpartnersusingahostofdevicesandapplications,generatingahigh

Table 1

Source: www.healthit.gov/providers-professionals/how-attain-meaningful-use

Clinician communication varies and is expanding

into new modes

7

volumeofcontacts.InananalysisofPerfectServedatafromthreehospitals,representinganaggregateof774bedsand54,000annualadmissions,cliniciansinitiatedmorethan680,000callsandmessagestoapproximately900physiciansannually.InarecentonlinestudyconductedbyHarrisPollonbehalfofPerfectServeamongvarioushealthcareprofessionals,datafurtherrevealstheintricacyofthesystem.Phonecalls,textmessages,email,EHRs,locatinganindividualforaface-to-faceconversation—allareusedwithvaryingfrequencyaccordingtothepreferencesoftheindividualclinician,thetypeandcomplexityofinformationsought,andwhethertherecipientofthemessageiswithintheclinician’sorganizationorisanoutsidepartner.4Recentdataalsoindicatesthatmultipleplatformsratherthanaunifiedsystemisthenorm:inastudyofnearlyonethousandhealthcareprofessionals,69%indicatetheirorganizationusesmultipleapplicationsandtechnologiesforsecurecommunication.5AnorganizationmustaccountforallofthesemethodsinassessingrisktopatientdataandmustensurethatallmethodsmeetthesecuritystandardssetbyHIPAA.

Additionally,healthorganizationsareusinganeverbroaderandmoretechnicallycomplexsystemofcommunicationstooptimizepopulationhealthmanagement[Table 2].Thesemethodsservetoimprovequalityandavailabilityofcare,butalsorelyonthetransmissionofpatientdata.Morecontactsandmoremethodsofcommunicationbetweencliniciansandtheirpatientsmeanmorepointsatwhichthathealthdatacouldbevulnerableandmoresystemstobringintocompliance.

8

Thus,therealityofhowclinicianscommunicatecreatesamazeofcommunicationtechnologiesforhealthcareorganizationstosubmittoriskanalysisandbringuptosecuritystandards.Ashealthcareorganizationscontinuetoembracecollaborationandthebreadthofcommunicationtechnologiesthatmakeitpossible,HIPAAcompliancewillonlybecomemorecomplex.

Howsuccessfularehealthorganizationsinmeetingthischallenge?

Studiesshowthatwhilemosthealthcareorganizationsareprioritizingdatasecurity,currentstrategiesleavesignificantfrustrationandroomforimprovementbothincompliancestrategiesthemselvesandintheintegrationofcompliancewithimprovedworkflow.

OrganizationshaveHIPAA-complianceriskmitigationstrategiesinplaceandmanyareworkingtoimprovetheminthewakeofrecentdatabreaches.Arecentsurveyshowsthevastmajorityworkinagroupthat

Table 2

Source: Harris Poll, April 2015

Q920: Which of the following technologies does your organization currently use or

plan to use within the next 12 months to optimize population health management?

Base: All Qualified Respondents (n=955)

Current strategies leave room for improvement

Follow-up patient phone calls

Online patient portals

Unified secure communication platform

Patient text reminders/updates

Telemedicine

Remote coordinations

Remote monitoring

Mobile care team communications

Video conferencing

Currently use Plan to use within the next 12 months

Remote consults

0% 20% 40% 60% 80% 100%

83%

74%

46%

41%

39%

36%

32%

32%

36%

31% 23%

19%

24%

25%

24%

22%

26%

25%

16%

10%

9

hasanofficialriskmitigationstrategy,and4outof5(83%)believethatsecurecommunicationisatoppriorityfortheirorganization;nearlyhalfindicatetheirgrouphasmadechangestothatplaninlightofrecentprominentdatabreaches.6

Butthesolutionsmostrelyonarenotideal.Despitetheoverallemphasisonsecurityandleveloforganizationalcommitment,frustrationanddissatisfactionexistwithmethodsofsecurecommunication,patientdataisstillbeingtransmittedinunsecureways,andbarrierstocommunicationareimpactingpatientcare.Therecentsurveyindicatesthat:

• Formost,thestrategiesnecessaryforcompliancehavenotbeenneatlyintegratedintotheirworkflow:61% feel that HIPAA regulations pose an obstacletoefficientcommunicationsandcollaborationwithintheircareteam.

• Complianceisapriority,butthetoolsavailablearenotalwaysuptothetask:nearly 3 in 10 (29%) are dissatisfied with the secure communication technologyintheirorganization’scurrentstrategy.

• Despiteefforts,thefailureofhealthcareorganizationstocreateaunified,completesystemistheprimarysourceoffrustration:the most commonly cited reasons for dissatisfactionarethevarianceincommunicationtechnologiesusedbydifferentmembersoftheorganization(68%)andthefailuretohavesecurecommunicationaccessibletoallmembersoftheorganization(55%).Lack of uniformity in the system and universal access to all team membersaremuchstrongerfactorsindissatisfactioneventhantechnicaldeficienciessuchasoutdated,unreliablesoftwareorprogramsthatarecomplicatedtouse.

• Whenawebofdisparatetechnologiesisinplaceandnoteveryoneisincludedinthesamesystemofcommunication,collaborationandefficientpatientcarefaceahurdle:7 in 10 clinicians (69%) indicate that patient care is often delayedwhiletheywaitforinformationaboutapatient.7

Thegapsinanorganization’sstrategycanalsoleadtofailuresincompliance,leavingpatienthealthinformationvulnerabletoexposureorcorruption.Despitetheemphasisoncommunicationsecurityand

84% Indicatetheirhealth

organizationhasariskmitigationplanforHIPAA

46% Saytheirhealth

organizationhasinstitutedsecuritymeasuresin

responsetonewsof2014healthcaredatabreaches

61% AgreethatHIPAA

regulationsposeanobstacletoefficientcommunicationandcollaborationwithin

thecareteam

10

thestrategiesinplace,13%ofhealthcareprofessionalsadmitthat,inordertofacilitatepatientcare,theyhavesentpatienthealthinformationthroughunsecuretextorvoicemessageswiththeirpersonalsmartphoneinthepastyear,and21%acknowledgehavingreceivedunsecurecommunicationsfromcolleaguesviathesamemannerforthispurpose.8

Whilebreachesoccurformanyreasons,themajoritycanbetracedtoinadequatelyplannedprocessesandtoolsorganizationsdevelopinternallytomanagethiscomplicatedlandscape.A2015PonemonInstitutestudyofePHIsecuritybreachesindicatesthattheunderlyingcausesofthesebreakdownsaremostoftenanadhocprocess(34%)oramanualprocessortooldevelopedbytheorganizationitself(27%).Incidentstracedtoanautomatedprocessorthird-partysoftwareoccuratamuchlowerrate(13%).9

Forhealthcareorganizationsthatareincreasinglyembracingmorecollaborativecaremodelsandthetechnologiesthatmakecaremoreaccessibleandefficient,theanswertoHIPAAcompliancemustfocussimultaneouslyondatasecurity and availability.Inaworldofrapidlyexpandingcommunicationmethodsandapplications,pointsatwhichthecommunicationmodelcanbestreamlinedaswellassecuredcanreducetheburdenofongoingriskmanagementonorganizations.

Aunifiedcareteamcollaborationplatformcanhelporganizationssimplifytheirriskmanagementstrategy,relyingonasingleintegratedsystemratherthantrackingandjugglingmultiplesystems.Itcanalsoamelioratethetwomaincausesofdissatisfactionwithsecurecommunicationwithinhealthcareorganizations:notallmembersusingthesametechnologiesandnotallmembershavingaccesstosecurecommunicationtechnology.

However,thisstrategyisnotbeingaswidelyimplementedasitcould be,withnearly7in10(69%)healthcareprofessionalsreportingthat theirorganizationdealswithmultipletechnologiesratherthanone unifiedplatform.

Asorganizationsreviewandworktoimprovetheirriskmanagementstrategies,aunifiedcommunicationsplatformcanbeanimportantpieceofthemovetowardintegratingHIPAAcompliancewiththebestpatientcareandpopulationhealthmanagementpossible.

Unified care team collaboration platforms

are underutilized

11

1. “Security101forCoveredEntities.”HIPAASecuritySeries:Volume2,Paper1.DepartmentofHealthandHumanServices.2007.Availableathttp://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html.

2. https://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives.AccessedDecember7,2015.

3. https://www.healthit.gov/providers-professionals/meaningful-use-definition-objectives.AccessedDecember7,2015.

4. PerfectServeSurveyResults,April2015.HarrisPoll. ThePerfectServesurveywasconductedonlinebyHarrisPollonbehalfofPerfectServebetweenFebruary12andMarch6,2015.Theresearchwasconductedamong955medicalprofessionalsinthefollowingoccupations:hospitalist(n=150),primarycarephysicianinanoffice(n=150),specialistphysicianinahospital(n=102),specialistphysicianinanoffice(n=101),hospitaladministrator(n=170),officemanager/practiceadministrator*(n=81),nurseinahospital(n=101)andcasemanager(n=100).Office-basedrespondentsworkinanofficewith25ormorephysicians.Hospital-basedrespondentsworkinahospitalwith200ormorebeds.Physicianrespondentsaredulylicensedinthestatewheretheypractice.Datawerenotweightedandareonlyrepresentativeofthosewhocompletedthesurvey. *Nineofficemanagers/practiceadministratorsworkinanofficewithfewerthan25physicians. Whenreferringtothisstudy,“clinicians”indicatesasubsetofrespondentsexcludingadministrators.Thesubsetincludeshospitalist(n=150);PCPoffice(n=150);specialtyphysician,hospital(n=102);specialtyphysician,office(n=101);nurse,hospital(n=101);andcasemanager(n=100),foratotalbaseofn=704.

5. PerfectServeSurveyResults,April2015.HarrisPoll.

6. PerfectServeSurveyResults,April2015.HarrisPoll.

7. PerfectServeSurveyResults,April2015.HarrisPoll.

Sources

12

8. PerfectServeSurveyResults,April2015.HarrisPoll.

9. PonemonInstitute,FifthAnnualBenchmarkStudyonPrivacy&SecurityofHealthcareData,May2015.Availableat http://www.ponemon.org/library/fifth-annual-benchmark-study-on- privacy-security-of-healthcare-data.