A Model for Health Information Privacy, Security and Compliance Preparedness
Random Health Insurance Portability and Accountability Act (HIPAA) audits due in 2015 by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) are rumored to be the toughest and most extensive yet for health plans, clearinghouses, providers and their business associates.
When some healthcare organizations are making a last-minute mad dash to prepare for the audits and others are in denial, keeping their heads down just hoping to avoid the wider net cast, there are a few shining examples of proactive and comprehensive privacy, security and compliance preparedness. The Utah Health Information Network (UHIN), a full-service clearinghouse and health information exchange (HIE), is one.
The nonprofit voluntary coalition of healthcare providers, payers, Utah state government, and other stakeholders strives to reduce healthcare costs and improve quality for the community by enabling members to exchange administrative and clinical information electronically. The Salt Lake City-based network currently serves nearly all the hospitals, ambulatory surgery centers, national laboratories, insurers, and approximately 90 percent of the medical providers in Utah, as well as the Utah state government.
Two Decades of Success
In the field of health information exchange, littered with examples of failed or defunct efforts, UHIN has a 20-year track record of success and is one of the few state HIEs to go the distance since 1994. When some healthcare organizations face state legislation more stringent than federal law in protecting personal health information, the Utah Health Information Network isn’t worried about meeting state requirements. As a pioneer in HIEs, the organization helped create the privacy and security standards which eventually became part of Utah state law.
“We took the federal law and tightened it by adding clarity,” says Doreen Espinoza, UHIN’s chief business development and privacy officer. While some states are taking a top-down approach to mandating standards, “ she says, “we find in Utah community based, grassroots efforts work best and fastest.”
The 15-year veteran of UHIN attributes the network’s preparedness partly to Utah’s culture of “coopetition” (competitive cooperation) and “extremely bright and technologically savvy residents who are willing to try new things.” But UHIN is also distinguished by its commitment to the highest standards of privacy, security and confidentiality of its members’ data. It has tremendous buy-in throughout the organization—not always easy with competing priorities—and has built privacy and security into the very fiber of the network.
Espinoza and her security officer counterpart in the C-suite monitor all activities involving personal health information (PHI). While some organizations may confuse privacy and security, placing more emphasis on one or the other, UHIN considers them interdependent and inextricable. “Privacy and security are the ‘what’ and the ‘how,’” she says. “You use security to protect that what you want to keep private – PHI.”
Privacy and Security a Priority
UHIN makes privacy and security a priority at every level. According to David Holtzman, former senior advisor at OCR, the investigators are just “dying” to focus on training, as too many organizations haven’t trained since first required to in 2003. At UHIN, all employees receive ongoing privacy and security education and training. UHIN maintains firewalls on all its servers. All systems users are assigned a unique login and must create a unique password to access data. Passwords must be changed regularly. All access to UHIN systems is logged and audited to ensure it is for appropriate reasons and all data that passes through UHIN systems or that UHIN maintains is encrypted to federal standards at all times, in motion and at rest.
Furthermore, UHIN knows preparedness requires ongoing maintenance and diligence. Regular risk analyses and continuous risk management are processes at UHIN, not ad hoc activities. As risks in healthcare become more complex, vigilant monitoring must be a highly deliberate process in which a cross-functional team provides oversight. Regular risk analyses and system penetration ensure the security of UHIN’s IT systems and make sure its employees know how to respond appropriately if there is a risk that privacy and security may be breached.
UHIN saw the value of having an independent third party evaluate their privacy and security policies and practices years ago to ensure they met rigorous standards for data protection. Since 2004, UHIN has earned accreditation for its “value-added network.” Formal accreditation was a “natural extension for us,” Espinoza says. “Not only do we comply with privacy and security regulations, we can prove that we follow the letter and spirit of the law with our accreditation.”
Acing an Audit
Based on her experience Espinoza advises against taking a “wait and see” approach to receiving a formal audit notification letter from OCR. In 2012 UHIN was randomly chosen for a three-day OCR pilot audit. Undergoing a rigorous re-accreditation process every two years since their first accreditation in 2004 gave UHIN multiple dry runs that allowed them to ace the audit. UHIN was one of only two clearinghouse entities that passed their audit with “no findings.” Having passed the most recent third-party accreditation audit one week before the OCR inspectors arrived, Espinoza estimates she still spent 80 hours “basically repackaging the information” to meet OCR’s specific requirements.
OCR only provides a couple of weeks’ notice to an organization before inspectors descend on your property. “If I had never been through the rigorous accreditation process, to be honest, just based on OCR’s criteria in 2012, I wouldn’t have had a clue,” Espinoza says. “It’s impossible to accomplish in a two-week timeframe. It takes a good six months to ensure you have everything you’re supposed to have because you’re not just pulling the information,” she says. “It has to be packaged appropriately and in the right order. The more you do it, the better you get.’
Independent Oversight
Having a third party run them through their paces for accreditation taught UHIN that “something that sounds really simple can be significantly more complicated when you try to comply with the written word and the spirit of the law,” Espinoza says. “You really need to understand what the law means to your organization and how you comply with the rules.”
UHIN maintains it couldn’t be as effective without accreditation. According to Espinoza, the process “brings together the best technical and legal minds in the industry to interpret the rules. No one person in an organization can know it all. I’m very educated on the operating rules because I helped create them, but there may be an area I’m not familiar with and third-party oversight can help interpret and operationalize it.”
Breaching HIPAA rules has many costs, including civil and criminal penalties, multimillion-dollar fines, and losing the confidence and loyalty of your community and customers. Protecting personal health information through accreditation engenders trust and goodwill, Espinoza contends. “We have and want to continue to hold the trust of our community. The question you have to ask yourself is: Do you want your community to trust you or give them a reason not to?”
Lee Barrett is the executive director for EHNAC, the Electronic Healthcare Network Accreditation Commission. Barrett has 10 years of experience leading healthcare professional service organizations as well as 20 years of experience in senior management roles in payer organizations. He can be reached at [email protected].