Taken a step further, analytics and big data became an opportunity to scrutinize this data as the digital analytics era ensued. In addition, EHRs impacted litigation and preservation of data. Records Management has been around for hundreds of years, but its visibility significantly grew with the advent of electronically stored information and impacted changes to Federal regulations regarding how electronic documentation is handled during a legal discovery process.
HIPAA is unclear, at best, not only to learn what is required, but also to consider how to comply with the rules in a rigorous, competent manner. Fortunately, we provide model documents with the HOW written in real English by a legal subject matter expert! We provide not only the source of the regulations, but also a short description, a sample policy, controls/processes for compliance, a method for tracking compliance, and more.
Do you mean there are other Compliance Regimes with additional regulations looming? If one Compliance Regime is difficult to understand and manage, imagine the difficulty of complying and adequately addressing the regulatory challenges of more than one set of regulations concurrently. How many other regimes are being "marked-up" as we speak to deal with the security breaches and invasions of our privacy that seem to occur on the battlefields of our daily lives. How should organizations prepare to address, understand, establish controls for, and comply with a regulatory environment that is almost certainly going to become more complex; despite all the promises of deregulation?
The European Union ("EU") implemented General Data Protection Regulations ("GDPR") effective May 25, 2018 to address regulations for protection of Personal Data. GDPR could prove transformative as the first Global Privacy and Security Regulations. Like HIPAA, the Payment Card Industry Data Security Standard ("PCI DSS") has been around for a while. PCI DSS provides standards for organizations that process major credit cards. The Gramm-Leach-Bliley Act (GLB) requires financial institutions to explain information-sharing practices to customers. In addition, the Sarbanes-Oxley Act (SOX) mandates strict financial reforms to protect investors from fraud. These are prominent regimes that are alive and well today. What we don't know, is how the House and Senate will respond to continuing instances analogous to the recent Facebook debacle.
THE COMPLIANCE STACK™ is one way to concurrently address more than one compliance regime and to handle the accompanying explosion of regulations. Let's take a deeper look.
INFORMATION GOVERNANCE STACK™
A stack within a stack? There are many reasons to establish Information Governance policy across and within industries, but healthcare's need to ensure the integrity of personal health information is not only a factor in HIPAA compliance but health information also faces unique challenges of cost and improved care for the patients they serve. The goals of the well-known "Triple Aim" rely on information governance for improving the patient's experience of care, improving the health of populations, and reducing the per capita costs of health care.
[ii]
DATA RETENTION
With the advent of digitization, storage of electronic data has become an effective method for
Records Management and Data Retention. However, one of the most difficult questions to answer is what types of data should be retained and how long should data be retained. In healthcare, accurate and timely documentation is essential to the provision of medical care. The
Legal Health Record is used for guidance in health-care settings that could be paper-based, electronic or a hybrid. Legal Liability issues for patient data include "proof of quality" of patient care and "liability related to unauthorized access and handling of patient information."
[iii] Do you see hints of HIPAA Privacy and Security? In the financial industry organizations require recognition of the important connection between data and records management policies to prevent corruption, fraud and maladministration of financial data.
[iv]
eDiscovery
When a lawsuit seeks discovery of information, it is known as eDiscovery (at least to the extent that electronic documents are sought). The Federal Rules of Civil Procedure ("FRCP") govern all forms of eDiscovery which includes potentially all information that is stored electronically including business and/or patient records.
[v] eDiscovery is a method to obtain facts for a legal matter. So, processes used to manage and retain data are essential not only for business and healthcare but also for potential eDiscovery.
POLICIES AND PROCESSES
Given the different Compliance Regimes and their specific needs, Policies and processes for each aspect of a given compliance regime will be unique, related to its specific requirements. For example, healthcare policy regarding data retention may be significantly different than what is required for SOX or PCI DSS. Here is where your creativity and knowledge are required to establish policies for a specific regime and to leverage, albeit modified, policies across regimes where appropriate. We provide model policies, procedures and tracking mechanisms for HIPAA, but they must be reviewed and may (usually do) require modification to meet the needs of your organization. Each organization has their own definition of what is considered "Reasonable and Appropriate."
SECURITY CONTROLS: Do you understand the hazards of Health IT?
One of the biggest issues facing organizations today is how they can defend themselves from human error and potential cyber attacks.
[vi] Establishing effective Security Controls to address and defend against unauthorized disclosure and cyber attacks of protected data is paramount, regardless of regime.
New and innovative technologies are being introduced at a rapid pace - a "disruptive innovation cycle." Authors such as Clayton Christensen in his book
The Innovator's Prescription describes A Disruptive Solution for Health Care, and Stephen Schimpff wrote an article for the Harvard Business Journal entitled,
Disruptive Changes Are Coming to the Delivery of Medical Care. Consider
eHealth and
Telemedicine as two of the first examples of disruptive changes in healthcare. These disruptions, and others, will require innovative security controls if they are to survive in the marketplace.
Effective Security Controls extend far beyond the protection of computers themselves. An effective program includes both technical and human controls to avoid loss of data, accidental or intentional avoidable activities, prevention of unauthorized access, loss deterrence, recovery after a loss has occurred, and correction of system weaknesses to prevent the incident from happening again.
[vii] So cyber attacks are just one aspect of controls that should be implemented; security controls reach far beyond isolated protection and vulnerability incidents.
CONCLUSION
Many of the regulations we now face in the modern world had their beginning as ethics and values of society. As requirements became more sophisticated, these values and demands became laws. For healthcare, legal and ethical issues initially focused on patient record requirements, confidentiality, informed consent, and access. With HIPAA, the circle widened to encompass Risk Management and Remediation, and requirements for management of records containing Protected Health Information ("PHI").
The complexity of regulatory compliance, regardless of the regime, requires investment of time to understand and implement policies, processes, and security controls. Yet, they offer no source of revenue for the organization's investment, they "offer" civil monetary penalties for non-compliance. We must, as Napolean Bonaparte once said, "Respect the Burden."
Organizations should look beyond tactical solutions when searching for a compliance vendor. Compliance is not a "once and done" activity, it is an ongoing responsibility to monitor and adapt to changes not only in the workplace but also in the regulations. Organizations are better served by identifying long-term partnering opportunities with vendors that continue to innovate not only technically, but more importantly, provide the thought leadership and assistance that will help you navigate these white-water rapids lurking over the horizon.
[i] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[ii] Berwick, Donald M., Thomas W. Nolan, and John Whittington. "The Triple Aim: Care, Health, And Cost." Health Affairs27, no. 3 (May/
June 2008). Accessed May 30, 2018.
https://doi.org/10.1377/hlthaff.27.3.759.
[iii] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[iv] Marlize Palmer, (2000) "Records management and accountability versus corruption, fraud and maladministration", Records Management Journal, Vol. 10 Issue: 2, pp.61-72,
https://doi.org/10.1108/EUM0000000007256[v] McWay, Dana C. Legal and Ethical Aspects of Health Information Management. Clifton Park, NY: Delmar Cengage Learning, 2010.
[vi] Fieldera, Andrew, Emmanouil Panaousisb, Pasquale Malacariac, Chris Hankina, and Fabrizio Smeraldic. "Decision Support Approaches for Cyber Security Investment." Elsevier Decision Support Systems86 (
June2016): 13-23. Accessed May 31, 2018.
https://doi.org/10.1016/j.dss.2016.02.012.
[vii] Wright, Marie A. Protecting information: Effective security controls; Review of Business; New York Vol. 16, Iss. 2: 24.
