HIPAA causes inefficiency at healthcare institutions: Can it be overcome? By Robin Singh

Compliance 

TODAY March 2017 

a publication of the health care compliance association 

www.hcca-info.org 

Increasing 

understanding between 

CMS and health plans 

an interview with Gail McGrath 

Chief Executive Officer 

MAPA Compliance Forum 

Washington, DC 

See page 16 

25 

33 

40 

48 

Senate report 

discourages dealings 

with physician-owned 

distributorships 

Thomas N. Bulleit and 

Peter P. Holman, Jr. 

State healthcare 

fraud enforcement: 

The Virginia 

Fraud Against 

Taxpayers Act 

Candice M. Deisher 

Implementing cultural 

competency and 

language preference: 

Steps to better 

compliance 

Claudia J. Teich 

The other 

annual work 

plan, Part 1 

Walter E. Johnson, 

Frank Ruelas and 

Anne Van Dusen 

This article, published in Compliance Today, appears here with permission from the Health Care Compliance Association. Call HCCA at 888-580-8373 with reprint requests.

y Robin Singh, MSc-Law, MSc-IT, LPEC, CFE 

HIPAA causes inefficiency 

at healthcare institutions: 

Can it be overcome? 

»» 

The cyberattack on Anthem is a wake-up call for healthcare providers to review the security of their patient data. 

»» 

Some of the rules in place to safeguard electronic PHI create a vicious circle, which at times is difficult to manage, 

and a line has to be drawn between healthcare in theory and healthcare in practice. 

»» 

Entities try to leverage technology for performance efficiencies, better care, and cost efficiencies; however, if 

the technology becomes a pain rather than a boon, it can only lead to inefficiencies in the system. 

»» 

HIPAA requirements may make it difficult for providers to communicate and share patient information with 

each other in emergencies, thus impacting patient care. 

»» 

Institutions should create a mechanism to use technology to their advantage by identifying alternative 

mechanisms to satisfy their end goal, which is to provide adequate care. 

Compliance Today March 2017 

Robin Singh (robinsingh002@yahoo.com) is a seasoned Compliance and 

Fraud Examiner and currently works with the Abu Dhabi (United Arab Emirates) 

government in Health Services. Twitter: @drobinsingh 

LinkedIn: https://ae.linkedin.com/in/whitecollarinvestigator 

The cyberattack on Anthem, the second 

largest insurer in the U.S., triggered a 

wave of panic among healthcare institutions 

and beneficiaries as well about the 

safety and privacy of their personal records. 

Anthem Inc., announced in February 2015 

that 80 million past and present customers 

had been the target of a massive data breach 

that compromised names, birthdays, medical 

IDs, Social Security numbers, street addresses, 

and employment information. 1 That means 

they are at risk of identity fraud. Anthem is a 

huge organization and, although it may not 

be directly concerned with providing healthcare, 

the truth is evident—health-related 

data is as deserving of security protocols as 

other key data, such as bank details or Social 

Security details. 

The fact is that unauthorized 

access to healthcare information 

allows fraudsters to exploit various 

opportunities to make money or 

receive benefits. For example, they 

may claim insurance benefits, they 

may receive medical care, they may 

buy medical equipment or drugs—all Singh 

under the name of the individual 

whose identity or data they have stolen. The 

possible repercussions of this type of fraud 

are enormous and have been brought into the 

spotlight. The need for stringent and effective 

controls to prevent access to data by unauthorized 

people is therefore immense. 

Patient data security and HIPAA 

One of the objectives of the Health Insurance 

Portability and Accountability Act of 1996 

(HIPAA) is to prevent cyberattacks on 

healthcare institutions. If hackers have an 

opportunity to steal healthcare data, they 

could get their hands on something that is 

52 www.hcca-info.org 888-580-8373

more valuable than credit card information. 

This is exactly what the HIPAA Security 

Rule aims to prevent. According to this 

rule, the healthcare entity has to take care to 

secure electronic personal health information 

(ePHI) by adopting specific technical 

and non-technical safety procedures. These 

safeguards are designed to protect all forms 

of electronically transmitted patient data and 

disclosure of this kind of data, in non-prescribed 

formats is prohibited. 

All healthcare facilities need to maintain 

and follow a security plan that lets them 

implement the HIPAA provisions. This plan 

covers three main aspects: 

·· 

On the administrative side: The facility 

must have a clear cut process to analyze, 

identify, and manage risk by controlling 

access to personal data, outline training 

requirements to staff, and ensure periodic 

assessments of risk apart from allocating 

responsibility for compliance to a specific 

staff member(s). 

·· 

On the technical side: The healthcare 

facility must have systems in place that 

restrict access to data, maintain data 

integrity, and protect data that is being 

electronically transmitted. 

·· 

On the implementation side: The facility 

must have clear-cut policies and processes 

that limit data access and ensure that 

only authorized personnel can manage 

private data. 

In effect, to remain compliant with HIPAA, 

the healthcare facility must review its processes, 

particularly those pertaining to storage 

of medical records and access to them, data 

transmission between staff and to patients, 

and authorizations to manage patient data. 

The pros and cons 

HIPAA regulations do give patients an additional 

safety cover and they do help reduce the 

risk of cyberattacks, but the advantages come 

with a cost. The biggest challenge that healthcare 

facilities face when it comes to HIPAA 

regulations is that communications between 

staff members is severely limited thanks to 

these provisions. 

Technology can help a medical care facility 

function better with greater cost efficiencies. 

This is a sound reason for many such entities 

to leverage technology to the maximum. This 

is particularly true when it comes to the means 

of communication used to transmit patientrelated 

information between practitioners. 

The use of modern technology and 

electronic information transmission methods 

makes it possible for the physicians or 

caregivers to instantly communicate critical 

information about a patient, which can have 

some tremendous benefits for the patient 

themselves. Unfortunately, since HIPAA bars 

unencrypted communication, technology 

cannot be used effectively. Nurses and doctors, 

instead of using a text messaging service 

such as SMS to communicate with each other 

instantly and easily, now have to look for other 

methods. These other methods may be obsolete 

ones (e.g., pagers), or they may have to 

make announcements over the public address 

system. With the latter, the information is literally 

broadcast to a huge audience, which is 

certainly not conforming to privacy requirements. 

In fact, these methods were used in the 

past, and they faded out because they were 

so inefficient. 

Who is losing? 

The inefficient methods of communication 

are not just affecting the healthcare providers, 

but ultimately affect the patients themselves. 

That’s because the quality of care depends significantly 

on access to information and speedy 

communication between various caregivers in 

the medical facility; if there are glitches in this 

aspect, the quality of care is compromised. 


888-580-8373 www.hcca-info.org 53


Another aspect is that a delay in access to 

information because of HIPAA-established 

protocol also means a delay in treatment 

that can result in the patient being affected 

adversely. Of course, if treatment outcomes are 

compromised, the healthcare facility’s reputation 

is also impaired, meaning that both the 

patient and the facility are losers in this game. 

What is the future impact of 

such inefficiencies? 

Given that the world is integrating technology 

increasingly into daily lives, it makes sense 

to align with this trend. If healthcare facilities 

move in the opposite direction, will they 

truly be catering to the consumer, the patient’s 

needs? Today’s consumers want information 

quickly and in a format that they can instantly 

access from wherever they are. This is possible 

only if electronic transmission is adopted 

fully by healthcare facilities. If these processes 

are restricted by HIPAA regulations, the gap 

between what these entities offer and what the 

patients want is only going to keep expanding 

in the future. 

However, compliance with HIPAA need 

not be the problem; it can be the solution, if the 

right processes and procedures are adopted by 

the healthcare facility. The solution is to make 

use of the right technologies so that patient 

data privacy can be seamlessly combined with 

efficient use of modern technology. One of the 

simplest things to do this is to use encrypted 

methods of communication that offer the highest 

degree of data protection while enabling 

speedy communication. Secure mobile devices 

and email scanners are the perfect option for 

healthcare providers, and these must be used 

in every facility as substitutes to unsafe electronic 

communication tools. 

Investing in these devices may be expensive, 

however, and the facility must look ahead 

and understand that this expenditure will 

pave the way for a safe, secure future where 

the physicians and other staff can offer exemplary 

healthcare solutions that will improve 

the reputation of the facility. The point to 

remember here is that $8 billion dollars’ worth 

of losses are incurred due to inefficiencies 

every year in this sector, and these can be 

eliminated with a comparatively small investment 

in the right technological tools. 

One cannot undermine the role of policies 

in this case. Policies are a mechanism 

that guides actions and sets the correct tone 

for the organization and its healthcare staff. 

Policies, such as patient information confidentiality 

and electronic data implementation 

and retention, need to be developed to cater to 

the regulatory environment and, at the same 

time, have enough scope to manage patient 

care. The problem is that such policies show 

minimum guidelines when it comes to exceptional 

circumstances, such as in emergency 

cases, accident cases, and other critical and 

exceptional situations. Healthcare staff needs 

to adequately be involved, have input, and 

review when compliance professionals create 

such policies. 

Conclusion 

Policies are not the be-all-and-end-all of guidelines. 

The world is moving toward establishing 

committees and task forces that continuously 

monitor the policies and exceptional cases so 

that policies can be continuously enhanced. 

The goal is not to limit these committees’/task 

forces’ role to enhancement of policies, but to 

ensure regular monitoring of cases in facilities 

and ensure adequate training for staff 

where the problems are frequent and regular. 

Compliance generally participates in these 

committees to oversee the role and to ensure a 

strong and robust monitoring mechanism. 

1. Charles Riley: “Insurance giant Anthem hit by massive data breach” 

CNN Money, February 6, 2015. Available at http://cnnmon.ie/2k7YiPf 

54 www.hcca-info.org 888-580-8373

HIPAA causes inefficiency at healthcare institutions: Can it be overcome? By Robin Singh

Create successful ePaper yourself

Delete template?

Save as template?