HIPAA causes inefficiency at healthcare institutions: Can it be overcome? By Robin Singh
» The cyber attack on Anthem is a wake-up call for healthcare providers to review the security of their patient data. » Some of the rules in place to safeguard electronic PHI create a vicious circle, which at times is dif cult to manage, and a line has to be drawn between health care in theory and health care in practice. » Entities try to leverage technology for performance efficiencies, better care, and cost efficiencies; however, if the technology becomes a pain rather than a boon, it can only lead to inefficiencies in the system. » HIPAA requirements may make it dif cult for providers to communicate and share patient information with each other in emergencies, thus impacting patient care. » Institutions should create a mechanism to use technology to their advantage by identifying alternative mechanisms to satisfy their end goal, which is to provide adequate care by #RobinSingh the #whitecollarinvestigator
» The cyber attack on Anthem is a wake-up call for healthcare providers to review the security of their patient data. » Some of the rules in place to safeguard electronic PHI create a vicious circle, which at times is dif cult to manage, and a line has to be drawn between health care in theory and health care in practice. » Entities try to leverage technology for performance efficiencies, better care, and cost efficiencies; however, if the technology becomes a pain rather than a boon, it can only lead to inefficiencies in the system. » HIPAA requirements may make it dif cult for providers to communicate and share patient information with each other in emergencies, thus impacting patient care. » Institutions should create a mechanism to use technology to their advantage by identifying alternative mechanisms to satisfy their end goal, which is to provide adequate care by #RobinSingh the #whitecollarinvestigator
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Compliance<br />
TODAY March 2017<br />
a public<strong>at</strong>ion of the health care compliance associ<strong>at</strong>ion<br />
www.hcca-info.org<br />
Increasing<br />
understanding <strong>be</strong>tween<br />
CMS and health plans<br />
an interview w<strong>it</strong>h Gail McGr<strong>at</strong>h<br />
Chief Executive Officer<br />
MAPA Compliance Forum<br />
Washington, DC<br />
See page 16<br />
25<br />
33<br />
40<br />
48<br />
Sen<strong>at</strong>e report<br />
discourages dealings<br />
w<strong>it</strong>h physician-owned<br />
distributorships<br />
Thomas N. Bulle<strong>it</strong> and<br />
Peter P. Holman, Jr.<br />
St<strong>at</strong>e <strong>healthcare</strong><br />
fraud enforcement:<br />
The Virginia<br />
Fraud Against<br />
Taxpayers Act<br />
<strong>Can</strong>dice M. Deisher<br />
Implementing cultural<br />
competency and<br />
language preference:<br />
Steps to <strong>be</strong>tter<br />
compliance<br />
Claudia J. Teich<br />
The other<br />
annual work<br />
plan, Part 1<br />
Walter E. Johnson,<br />
Frank Ruelas and<br />
Anne Van Dusen<br />
This article, published in Compliance Today, appears here w<strong>it</strong>h permission from the Health Care Compliance Associ<strong>at</strong>ion. Call HCCA <strong>at</strong> 888-580-8373 w<strong>it</strong>h reprint requests.
y <strong>Robin</strong> <strong>Singh</strong>, MSc-Law, MSc-IT, LPEC, CFE<br />
<strong>HIPAA</strong> <strong>causes</strong> <strong>inefficiency</strong><br />
<strong>at</strong> <strong>healthcare</strong> <strong>inst<strong>it</strong>utions</strong>:<br />
<strong>Can</strong> <strong>it</strong> <strong>be</strong> <strong>overcome</strong>?<br />
»»<br />
The cy<strong>be</strong>r<strong>at</strong>tack on Anthem is a wake-up call for <strong>healthcare</strong> providers to review the secur<strong>it</strong>y of their p<strong>at</strong>ient d<strong>at</strong>a.<br />
»»<br />
Some of the rules in place to safeguard electronic PHI cre<strong>at</strong>e a vicious circle, which <strong>at</strong> times is difficult to manage,<br />
and a line has to <strong>be</strong> drawn <strong>be</strong>tween <strong>healthcare</strong> in theory and <strong>healthcare</strong> in practice.<br />
»»<br />
Ent<strong>it</strong>ies try to leverage technology for performance efficiencies, <strong>be</strong>tter care, and cost efficiencies; however, if<br />
the technology <strong>be</strong>comes a pain r<strong>at</strong>her than a boon, <strong>it</strong> can only lead to inefficiencies in the system.<br />
»»<br />
<strong>HIPAA</strong> requirements may make <strong>it</strong> difficult for providers to communic<strong>at</strong>e and share p<strong>at</strong>ient inform<strong>at</strong>ion w<strong>it</strong>h<br />
each other in emergencies, thus impacting p<strong>at</strong>ient care.<br />
»»<br />
Inst<strong>it</strong>utions should cre<strong>at</strong>e a mechanism to use technology to their advantage by identifying altern<strong>at</strong>ive<br />
mechanisms to s<strong>at</strong>isfy their end goal, which is to provide adequ<strong>at</strong>e care.<br />
Compliance Today March 2017<br />
<strong>Robin</strong> <strong>Singh</strong> (robinsingh002@yahoo.com) is a seasoned Compliance and<br />
Fraud Examiner and currently works w<strong>it</strong>h the Abu Dhabi (Un<strong>it</strong>ed Arab Emir<strong>at</strong>es)<br />
government in Health Services. Tw<strong>it</strong>ter: @drobinsingh<br />
LinkedIn: https://ae.linkedin.com/in/wh<strong>it</strong>ecollarinvestig<strong>at</strong>or<br />
The cy<strong>be</strong>r<strong>at</strong>tack on Anthem, the second<br />
largest insurer in the U.S., triggered a<br />
wave of panic among <strong>healthcare</strong> <strong>inst<strong>it</strong>utions</strong><br />
and <strong>be</strong>neficiaries as well about the<br />
safety and privacy of their personal records.<br />
Anthem Inc., announced in February 2015<br />
th<strong>at</strong> 80 million past and present customers<br />
had <strong>be</strong>en the target of a massive d<strong>at</strong>a breach<br />
th<strong>at</strong> compromised names, birthdays, medical<br />
IDs, Social Secur<strong>it</strong>y num<strong>be</strong>rs, street addresses,<br />
and employment inform<strong>at</strong>ion. 1 Th<strong>at</strong> means<br />
they are <strong>at</strong> risk of ident<strong>it</strong>y fraud. Anthem is a<br />
huge organiz<strong>at</strong>ion and, although <strong>it</strong> may not<br />
<strong>be</strong> directly concerned w<strong>it</strong>h providing <strong>healthcare</strong>,<br />
the truth is evident—health-rel<strong>at</strong>ed<br />
d<strong>at</strong>a is as deserving of secur<strong>it</strong>y protocols as<br />
other key d<strong>at</strong>a, such as bank details or Social<br />
Secur<strong>it</strong>y details.<br />
The fact is th<strong>at</strong> unauthorized<br />
access to <strong>healthcare</strong> inform<strong>at</strong>ion<br />
allows fraudsters to explo<strong>it</strong> various<br />
opportun<strong>it</strong>ies to make money or<br />
receive <strong>be</strong>nef<strong>it</strong>s. For example, they<br />
may claim insurance <strong>be</strong>nef<strong>it</strong>s, they<br />
may receive medical care, they may<br />
buy medical equipment or drugs—all <strong>Singh</strong><br />
under the name of the individual<br />
whose ident<strong>it</strong>y or d<strong>at</strong>a they have stolen. The<br />
possible repercussions of this type of fraud<br />
are enormous and have <strong>be</strong>en brought into the<br />
spotlight. The need for stringent and effective<br />
controls to prevent access to d<strong>at</strong>a by unauthorized<br />
people is therefore immense.<br />
P<strong>at</strong>ient d<strong>at</strong>a secur<strong>it</strong>y and <strong>HIPAA</strong><br />
One of the objectives of the Health Insurance<br />
Portabil<strong>it</strong>y and Accountabil<strong>it</strong>y Act of 1996<br />
(<strong>HIPAA</strong>) is to prevent cy<strong>be</strong>r<strong>at</strong>tacks on<br />
<strong>healthcare</strong> <strong>inst<strong>it</strong>utions</strong>. If hackers have an<br />
opportun<strong>it</strong>y to steal <strong>healthcare</strong> d<strong>at</strong>a, they<br />
could get their hands on something th<strong>at</strong> is<br />
52 www.hcca-info.org 888-580-8373
more valuable than cred<strong>it</strong> card inform<strong>at</strong>ion.<br />
This is exactly wh<strong>at</strong> the <strong>HIPAA</strong> Secur<strong>it</strong>y<br />
Rule aims to prevent. According to this<br />
rule, the <strong>healthcare</strong> ent<strong>it</strong>y has to take care to<br />
secure electronic personal health inform<strong>at</strong>ion<br />
(ePHI) by adopting specific technical<br />
and non-technical safety procedures. These<br />
safeguards are designed to protect all forms<br />
of electronically transm<strong>it</strong>ted p<strong>at</strong>ient d<strong>at</strong>a and<br />
disclosure of this kind of d<strong>at</strong>a, in non-prescri<strong>be</strong>d<br />
form<strong>at</strong>s is prohib<strong>it</strong>ed.<br />
All <strong>healthcare</strong> facil<strong>it</strong>ies need to maintain<br />
and follow a secur<strong>it</strong>y plan th<strong>at</strong> lets them<br />
implement the <strong>HIPAA</strong> provisions. This plan<br />
covers three main aspects:<br />
··<br />
On the administr<strong>at</strong>ive side: The facil<strong>it</strong>y<br />
must have a clear cut process to analyze,<br />
identify, and manage risk by controlling<br />
access to personal d<strong>at</strong>a, outline training<br />
requirements to staff, and ensure periodic<br />
assessments of risk apart from alloc<strong>at</strong>ing<br />
responsibil<strong>it</strong>y for compliance to a specific<br />
staff mem<strong>be</strong>r(s).<br />
··<br />
On the technical side: The <strong>healthcare</strong><br />
facil<strong>it</strong>y must have systems in place th<strong>at</strong><br />
restrict access to d<strong>at</strong>a, maintain d<strong>at</strong>a<br />
integr<strong>it</strong>y, and protect d<strong>at</strong>a th<strong>at</strong> is <strong>be</strong>ing<br />
electronically transm<strong>it</strong>ted.<br />
··<br />
On the implement<strong>at</strong>ion side: The facil<strong>it</strong>y<br />
must have clear-cut policies and processes<br />
th<strong>at</strong> lim<strong>it</strong> d<strong>at</strong>a access and ensure th<strong>at</strong><br />
only authorized personnel can manage<br />
priv<strong>at</strong>e d<strong>at</strong>a.<br />
In effect, to remain compliant w<strong>it</strong>h <strong>HIPAA</strong>,<br />
the <strong>healthcare</strong> facil<strong>it</strong>y must review <strong>it</strong>s processes,<br />
particularly those pertaining to storage<br />
of medical records and access to them, d<strong>at</strong>a<br />
transmission <strong>be</strong>tween staff and to p<strong>at</strong>ients,<br />
and authoriz<strong>at</strong>ions to manage p<strong>at</strong>ient d<strong>at</strong>a.<br />
The pros and cons<br />
<strong>HIPAA</strong> regul<strong>at</strong>ions do give p<strong>at</strong>ients an add<strong>it</strong>ional<br />
safety cover and they do help reduce the<br />
risk of cy<strong>be</strong>r<strong>at</strong>tacks, but the advantages come<br />
w<strong>it</strong>h a cost. The biggest challenge th<strong>at</strong> <strong>healthcare</strong><br />
facil<strong>it</strong>ies face when <strong>it</strong> comes to <strong>HIPAA</strong><br />
regul<strong>at</strong>ions is th<strong>at</strong> communic<strong>at</strong>ions <strong>be</strong>tween<br />
staff mem<strong>be</strong>rs is severely lim<strong>it</strong>ed thanks to<br />
these provisions.<br />
Technology can help a medical care facil<strong>it</strong>y<br />
function <strong>be</strong>tter w<strong>it</strong>h gre<strong>at</strong>er cost efficiencies.<br />
This is a sound reason for many such ent<strong>it</strong>ies<br />
to leverage technology to the maximum. This<br />
is particularly true when <strong>it</strong> comes to the means<br />
of communic<strong>at</strong>ion used to transm<strong>it</strong> p<strong>at</strong>ientrel<strong>at</strong>ed<br />
inform<strong>at</strong>ion <strong>be</strong>tween pract<strong>it</strong>ioners.<br />
The use of modern technology and<br />
electronic inform<strong>at</strong>ion transmission methods<br />
makes <strong>it</strong> possible for the physicians or<br />
caregivers to instantly communic<strong>at</strong>e cr<strong>it</strong>ical<br />
inform<strong>at</strong>ion about a p<strong>at</strong>ient, which can have<br />
some tremendous <strong>be</strong>nef<strong>it</strong>s for the p<strong>at</strong>ient<br />
themselves. Unfortun<strong>at</strong>ely, since <strong>HIPAA</strong> bars<br />
unencrypted communic<strong>at</strong>ion, technology<br />
cannot <strong>be</strong> used effectively. Nurses and doctors,<br />
instead of using a text messaging service<br />
such as SMS to communic<strong>at</strong>e w<strong>it</strong>h each other<br />
instantly and easily, now have to look for other<br />
methods. These other methods may <strong>be</strong> obsolete<br />
ones (e.g., pagers), or they may have to<br />
make announcements over the public address<br />
system. W<strong>it</strong>h the l<strong>at</strong>ter, the inform<strong>at</strong>ion is l<strong>it</strong>erally<br />
broadcast to a huge audience, which is<br />
certainly not conforming to privacy requirements.<br />
In fact, these methods were used in the<br />
past, and they faded out <strong>be</strong>cause they were<br />
so inefficient.<br />
Who is losing?<br />
The inefficient methods of communic<strong>at</strong>ion<br />
are not just affecting the <strong>healthcare</strong> providers,<br />
but ultim<strong>at</strong>ely affect the p<strong>at</strong>ients themselves.<br />
Th<strong>at</strong>’s <strong>be</strong>cause the qual<strong>it</strong>y of care depends significantly<br />
on access to inform<strong>at</strong>ion and speedy<br />
communic<strong>at</strong>ion <strong>be</strong>tween various caregivers in<br />
the medical facil<strong>it</strong>y; if there are gl<strong>it</strong>ches in this<br />
aspect, the qual<strong>it</strong>y of care is compromised.<br />
Compliance Today March 2017<br />
888-580-8373 www.hcca-info.org 53
Compliance Today March 2017<br />
Another aspect is th<strong>at</strong> a delay in access to<br />
inform<strong>at</strong>ion <strong>be</strong>cause of <strong>HIPAA</strong>-established<br />
protocol also means a delay in tre<strong>at</strong>ment<br />
th<strong>at</strong> can result in the p<strong>at</strong>ient <strong>be</strong>ing affected<br />
adversely. Of course, if tre<strong>at</strong>ment outcomes are<br />
compromised, the <strong>healthcare</strong> facil<strong>it</strong>y’s reput<strong>at</strong>ion<br />
is also impaired, meaning th<strong>at</strong> both the<br />
p<strong>at</strong>ient and the facil<strong>it</strong>y are losers in this game.<br />
Wh<strong>at</strong> is the future impact of<br />
such inefficiencies?<br />
Given th<strong>at</strong> the world is integr<strong>at</strong>ing technology<br />
increasingly into daily lives, <strong>it</strong> makes sense<br />
to align w<strong>it</strong>h this trend. If <strong>healthcare</strong> facil<strong>it</strong>ies<br />
move in the oppos<strong>it</strong>e direction, will they<br />
truly <strong>be</strong> c<strong>at</strong>ering to the consumer, the p<strong>at</strong>ient’s<br />
needs? Today’s consumers want inform<strong>at</strong>ion<br />
quickly and in a form<strong>at</strong> th<strong>at</strong> they can instantly<br />
access from wherever they are. This is possible<br />
only if electronic transmission is adopted<br />
fully by <strong>healthcare</strong> facil<strong>it</strong>ies. If these processes<br />
are restricted by <strong>HIPAA</strong> regul<strong>at</strong>ions, the gap<br />
<strong>be</strong>tween wh<strong>at</strong> these ent<strong>it</strong>ies offer and wh<strong>at</strong> the<br />
p<strong>at</strong>ients want is only going to keep expanding<br />
in the future.<br />
However, compliance w<strong>it</strong>h <strong>HIPAA</strong> need<br />
not <strong>be</strong> the problem; <strong>it</strong> can <strong>be</strong> the solution, if the<br />
right processes and procedures are adopted by<br />
the <strong>healthcare</strong> facil<strong>it</strong>y. The solution is to make<br />
use of the right technologies so th<strong>at</strong> p<strong>at</strong>ient<br />
d<strong>at</strong>a privacy can <strong>be</strong> seamlessly combined w<strong>it</strong>h<br />
efficient use of modern technology. One of the<br />
simplest things to do this is to use encrypted<br />
methods of communic<strong>at</strong>ion th<strong>at</strong> offer the highest<br />
degree of d<strong>at</strong>a protection while enabling<br />
speedy communic<strong>at</strong>ion. Secure mobile devices<br />
and email scanners are the perfect option for<br />
<strong>healthcare</strong> providers, and these must <strong>be</strong> used<br />
in every facil<strong>it</strong>y as subst<strong>it</strong>utes to unsafe electronic<br />
communic<strong>at</strong>ion tools.<br />
Investing in these devices may <strong>be</strong> expensive,<br />
however, and the facil<strong>it</strong>y must look ahead<br />
and understand th<strong>at</strong> this expend<strong>it</strong>ure will<br />
pave the way for a safe, secure future where<br />
the physicians and other staff can offer exemplary<br />
<strong>healthcare</strong> solutions th<strong>at</strong> will improve<br />
the reput<strong>at</strong>ion of the facil<strong>it</strong>y. The point to<br />
remem<strong>be</strong>r here is th<strong>at</strong> $8 billion dollars’ worth<br />
of losses are incurred due to inefficiencies<br />
every year in this sector, and these can <strong>be</strong><br />
elimin<strong>at</strong>ed w<strong>it</strong>h a compar<strong>at</strong>ively small investment<br />
in the right technological tools.<br />
One cannot undermine the role of policies<br />
in this case. Policies are a mechanism<br />
th<strong>at</strong> guides actions and sets the correct tone<br />
for the organiz<strong>at</strong>ion and <strong>it</strong>s <strong>healthcare</strong> staff.<br />
Policies, such as p<strong>at</strong>ient inform<strong>at</strong>ion confidential<strong>it</strong>y<br />
and electronic d<strong>at</strong>a implement<strong>at</strong>ion<br />
and retention, need to <strong>be</strong> developed to c<strong>at</strong>er to<br />
the regul<strong>at</strong>ory environment and, <strong>at</strong> the same<br />
time, have enough scope to manage p<strong>at</strong>ient<br />
care. The problem is th<strong>at</strong> such policies show<br />
minimum guidelines when <strong>it</strong> comes to exceptional<br />
circumstances, such as in emergency<br />
cases, accident cases, and other cr<strong>it</strong>ical and<br />
exceptional s<strong>it</strong>u<strong>at</strong>ions. Healthcare staff needs<br />
to adequ<strong>at</strong>ely <strong>be</strong> involved, have input, and<br />
review when compliance professionals cre<strong>at</strong>e<br />
such policies.<br />
Conclusion<br />
Policies are not the <strong>be</strong>-all-and-end-all of guidelines.<br />
The world is moving toward establishing<br />
comm<strong>it</strong>tees and task forces th<strong>at</strong> continuously<br />
mon<strong>it</strong>or the policies and exceptional cases so<br />
th<strong>at</strong> policies can <strong>be</strong> continuously enhanced.<br />
The goal is not to lim<strong>it</strong> these comm<strong>it</strong>tees’/task<br />
forces’ role to enhancement of policies, but to<br />
ensure regular mon<strong>it</strong>oring of cases in facil<strong>it</strong>ies<br />
and ensure adequ<strong>at</strong>e training for staff<br />
where the problems are frequent and regular.<br />
Compliance generally particip<strong>at</strong>es in these<br />
comm<strong>it</strong>tees to oversee the role and to ensure a<br />
strong and robust mon<strong>it</strong>oring mechanism.<br />
1. Charles Riley: “Insurance giant Anthem h<strong>it</strong> by massive d<strong>at</strong>a breach”<br />
CNN Money, February 6, 2015. Available <strong>at</strong> http://cnnmon.ie/2k7YiPf<br />
54 www.hcca-info.org 888-580-8373