Can you meet strict privacy rules with limited resources?

Courtesy of Iatric Systems

Tim Burris, Product Manager for Patient Privacy Solutions, Iatric Systems

Complying with privacy regulations is daunting for many healthcare organizations. First came HIPAA, the HITECH Act, and Meaningful Use, all governing hospital staff access to Protected Health Information (PHI). Then, the Omnibus Final Rule extended requirements to a hospital’s business associates and subcontractors, with the hospital sharing responsibility for any violations. Penalties for breaches can be severe (not to mention the awful publicity). With tight budgets and limited staff, how can organizations better align themselves to comply?

For many hospitals, it’s not easy. Even though HIPAA and the other rules governing sensitive information have been out for years, hospitals are still plagued by inappropriate activity among staff. Inappropriate activities range from someone looking at their spouse’s lab results in the hospital EMR system to massive information harvesting schemes by criminal rings. But, with thousands of accesses daily, it’s impossible to check them all without hiring an army of staff.

So, what do hospitals usually do? The only thing they can—random auditing. They pick a handful of patient records at random and verify that all accesses to those records are appropriate. With so many access events overlooked, the odds of a violation slipping through the cracks are huge. Random auditing may fill a checkbox, but it simply doesn’t work.

Now you’re responsible for third parties, too

The Omnibus Final Rule creates more challenges. Covered entities are required to conduct a risk assessment of any third party that will interact with its systems to create, receive, maintain, or transmit PHI data before entering into a business agreement. Once the contract is signed, the hospital then needs to monitor that vendor’s access of PHI. If a breach occurs, the hospital is liable for damages along with the vendor. In the worst case, it puts the hospital at risk of a “willful-neglect” charge, with a maximum penalty of $1.5 million per violation.

Even with stakes this high, hospitals are struggling to comply. Monitoring third-party access to your patients’ PHI requires resources already in short supply. The risk assessment is another area that is problematic. The hospital has to determine if the partner has the maturity, technology, and processes in place to meet federal regulations. The challenge is how to conduct a valid, meaningful risk assessment that will withstand scrutiny by regulators.

Many hospitals rely on informal risk assessments. They’ll send the vendor a questionnaire to complete or conduct a brief phone interview, filling in check boxes along the way. However, there’s no real verification to confirm that this potential partner is truly safe. Every vendor will promise you the moon to get in the door; unfortunately, hospitals sometimes discover that lofty assurances can be deceiving. The consequences for the hospital can be extremely damaging—remember you will share responsibility, even if a breach is caused by your third-party partner.

Technology can help

Fortunately, technology is available that can help hospitals comply with the gamut of privacy regulations. One example is automated event log monitoring. Solutions with this capability audit user access to PHI to spot potential violations. They use a number of strategies, from algorithm-based log review to behavioral analysis, to detect privacy violations. If a suspicious event occurs, the technology alerts staff in real time and preserves a record for investigation. Rather than picking random patient records to examine, you can focus on audit investigations that are most likely to indicate inappropriate access. It’s a far more cost-effective approach, and there’s much less chance of a breach slipping through the cracks.

A valuable side effect of this automated auditing is the impact on the culture of the organization. Some people are inherently nosey; a few may have darker motives for snooping. But with an effective auditing program, they know they are being monitored, and any inappropriate access will be flagged immediately. As people are caught and disciplined, word gets around. Time and again, we’ve seen the results: inappropriate accesses plunge—usually down to zero. It’s another reminder that the most important aspect of any privacy or security plan is the culture that you instill.

Technology also can help manage third-party vendors and ensure compliance with the Omnibus Rule. This includes standardized best-practice vendor risk assessments, with automatic grading against the regulations and identification of major risks so hospital staff don’t lose time interpreting results. Ongoing reviews help keep vendors honest—not only have they undergone a rigorous assessment beforehand, but they know they will be reviewed continually thereafter. You can layer the capabilities together to provide comprehensive vendor management, then add automated monitoring to detect inappropriate access to PHI by third-party staff. In effect, you’re extending the culture of honesty outward to ensure compliance among your vendors.

Compliance is not so hard after all

PHI represents a bond of trust between the patient and the covered entity entrusted with their data. A hospital’s capability to maintain that trust is vital to its reputation, financial success, and longevity. The challenge for many hospitals has been protecting patient privacy with limited resources, leaving them at risk for huge penalties. Fortunately, technology is available that can help bridge the gap, automatically monitoring access to PHI and streamlining risk management of third-party vendors. Not only can hospitals comply with privacy regulations, the combination of high efficiency and breach prevention also provides a meaningful return on their investment.