Views
1 year ago

HIPAA causes inefficiency at healthcare institutions: Can it be overcome? By Robin Singh

» The cyber attack on Anthem is a wake-up call for healthcare providers to review the security of their patient data. » Some of the rules in place to safeguard electronic PHI create a vicious circle, which at times is dif cult to manage, and a line has to be drawn between health care in theory and health care in practice. » Entities try to leverage technology for performance efficiencies, better care, and cost efficiencies; however, if the technology becomes a pain rather than a boon, it can only lead to inefficiencies in the system. » HIPAA requirements may make it dif cult for providers to communicate and share patient information with each other in emergencies, thus impacting patient care. » Institutions should create a mechanism to use technology to their advantage by identifying alternative mechanisms to satisfy their end goal, which is to provide adequate care by #RobinSingh the #whitecollarinvestigator

y Robin

y Robin Singh, MSc-Law, MSc-IT, LPEC, CFE HIPAA causes inefficiency at healthcare institutions: Can it be overcome? »» The cyberattack on Anthem is a wake-up call for healthcare providers to review the security of their patient data. »» Some of the rules in place to safeguard electronic PHI create a vicious circle, which at times is difficult to manage, and a line has to be drawn between healthcare in theory and healthcare in practice. »» Entities try to leverage technology for performance efficiencies, better care, and cost efficiencies; however, if the technology becomes a pain rather than a boon, it can only lead to inefficiencies in the system. »» HIPAA requirements may make it difficult for providers to communicate and share patient information with each other in emergencies, thus impacting patient care. »» Institutions should create a mechanism to use technology to their advantage by identifying alternative mechanisms to satisfy their end goal, which is to provide adequate care. Compliance Today March 2017 Robin Singh (robinsingh002@yahoo.com) is a seasoned Compliance and Fraud Examiner and currently works with the Abu Dhabi (United Arab Emirates) government in Health Services. Twitter: @drobinsingh LinkedIn: https://ae.linkedin.com/in/whitecollarinvestigator The cyberattack on Anthem, the second largest insurer in the U.S., triggered a wave of panic among healthcare institutions and beneficiaries as well about the safety and privacy of their personal records. Anthem Inc., announced in February 2015 that 80 million past and present customers had been the target of a massive data breach that compromised names, birthdays, medical IDs, Social Security numbers, street addresses, and employment information. 1 That means they are at risk of identity fraud. Anthem is a huge organization and, although it may not be directly concerned with providing healthcare, the truth is evident—health-related data is as deserving of security protocols as other key data, such as bank details or Social Security details. The fact is that unauthorized access to healthcare information allows fraudsters to exploit various opportunities to make money or receive benefits. For example, they may claim insurance benefits, they may receive medical care, they may buy medical equipment or drugs—all Singh under the name of the individual whose identity or data they have stolen. The possible repercussions of this type of fraud are enormous and have been brought into the spotlight. The need for stringent and effective controls to prevent access to data by unauthorized people is therefore immense. Patient data security and HIPAA One of the objectives of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is to prevent cyberattacks on healthcare institutions. If hackers have an opportunity to steal healthcare data, they could get their hands on something that is 52 www.hcca-info.org 888-580-8373

more valuable than credit card information. This is exactly what the HIPAA Security Rule aims to prevent. According to this rule, the healthcare entity has to take care to secure electronic personal health information (ePHI) by adopting specific technical and non-technical safety procedures. These safeguards are designed to protect all forms of electronically transmitted patient data and disclosure of this kind of data, in non-prescribed formats is prohibited. All healthcare facilities need to maintain and follow a security plan that lets them implement the HIPAA provisions. This plan covers three main aspects: ·· On the administrative side: The facility must have a clear cut process to analyze, identify, and manage risk by controlling access to personal data, outline training requirements to staff, and ensure periodic assessments of risk apart from allocating responsibility for compliance to a specific staff member(s). ·· On the technical side: The healthcare facility must have systems in place that restrict access to data, maintain data integrity, and protect data that is being electronically transmitted. ·· On the implementation side: The facility must have clear-cut policies and processes that limit data access and ensure that only authorized personnel can manage private data. In effect, to remain compliant with HIPAA, the healthcare facility must review its processes, particularly those pertaining to storage of medical records and access to them, data transmission between staff and to patients, and authorizations to manage patient data. The pros and cons HIPAA regulations do give patients an additional safety cover and they do help reduce the risk of cyberattacks, but the advantages come with a cost. The biggest challenge that healthcare facilities face when it comes to HIPAA regulations is that communications between staff members is severely limited thanks to these provisions. Technology can help a medical care facility function better with greater cost efficiencies. This is a sound reason for many such entities to leverage technology to the maximum. This is particularly true when it comes to the means of communication used to transmit patientrelated information between practitioners. The use of modern technology and electronic information transmission methods makes it possible for the physicians or caregivers to instantly communicate critical information about a patient, which can have some tremendous benefits for the patient themselves. Unfortunately, since HIPAA bars unencrypted communication, technology cannot be used effectively. Nurses and doctors, instead of using a text messaging service such as SMS to communicate with each other instantly and easily, now have to look for other methods. These other methods may be obsolete ones (e.g., pagers), or they may have to make announcements over the public address system. With the latter, the information is literally broadcast to a huge audience, which is certainly not conforming to privacy requirements. In fact, these methods were used in the past, and they faded out because they were so inefficient. Who is losing? The inefficient methods of communication are not just affecting the healthcare providers, but ultimately affect the patients themselves. That’s because the quality of care depends significantly on access to information and speedy communication between various caregivers in the medical facility; if there are glitches in this aspect, the quality of care is compromised. Compliance Today March 2017 888-580-8373 www.hcca-info.org 53

Occupational Safety and Health Administration compliance for inpatient facilities by Robin Singh
What ethical and legal action can you take when you are forced to bribe? by Robin Singh
Fraud A Cancer to healthcare domain by Robin Singh
Fraud A Cancer to healthcare