Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.
By Kathryn Ayers Wickenhauser, MBA, CHPC, CHTS-TR
AHIMA hosted their 11th annual Privacy and Security Institute October 7-8 in Los Angeles this year, drawing compliance and cybersecurity aficionados alike to two days full of useful and actionable information for both covered entity and business associate organizations.
This institute, which takes place before the Annual Convention and Exhibit, offered a unique opportunity for compliance and privacy and security professionals to network as well as learn from each other, comparing and contrasting their different approaches to many of the same compliance issues.
As a first-time attendee, I found that the 22 sessions offered covered a wide range of HIPAA privacy, security, and breach issues, offering new insights and takeaways for me to implement with my own organization. While the sessions all differed in topic, covering the vast landscape of healthcare compliance, several common themes occurred to me throughout the presentations. Sometimes it isn’t solely about the content in the individual presentations, but also the lessons learned and inferred in between the information presented, lending to larger trends and lessons.
Here are five highlights from AHIMA’s Privacy and Security Institute that we all can learn from, regardless of our role and impact upon compliance in our respective organizations.
#1: Preparedness is key.
Compliance is not just about the defensive strategy after something goes awry, but is very much about the offense of an organization, including trying to thwart compliance threats before they happen. Being prepared for compliance threats both new and old is key. In Daniel Nigrin’s session, “When Hacktivists Target Your Hospital,” he discussed how his organization took appropriate preventative measures when they were alerted they may be the target of a cyberattack. He highlighted that when they discovered the possibility of an attack, they were not sure if the threat was legitimate or not, but decided not to let the validity of the threat stop the organization from preparing in the event an attack happened. After three weeks of silence, they thought their organization was “out of the woods”, but low and behold, an attack did start. Because the organization had taken the threat seriously and implemented contingency plans in case of an attack, they were able to execute their plan and minimize organizational impact when the attack did pick up. While Nigrin’s story was specific to cyberthreats, it is easy to see the relationship and importance of preparation in the field of compliance. As healthcare compliance professionals, it is imperative to look towards the future and growing trends to ensure our organizations are protected. The last thing any organization wants is to end up on the HHS “Wall of Shame.”
#2: HIPAA is gray. It’s about how it’s applied in your experience and organization.
A key takeaway from the Privacy and Security Institute was that compliance is not a one-size-fits-all black-and-white experience. HIPAA is very much about how it is applied in a given scenario, including how policies, procedures, and other protocols are documented and followed. A great illustration of the differences in interpretation of HIPAA was highlighted by Adam Greene’s session “Advanced Breach Notification Case Studies.” Greene presented numerous scenarios of unauthorized disclosures, some seemingly simple, others much more complex. However, a room full of compliance experts never came to a consensus on any of the five cases on whether to classify the given situation as a reportable breach. Attendees argued their viewpoints from both sides on why they would or would not determine a situation as a breach. I personally found it enlightening to hear the thought-process of others involved in day-to-day compliance efforts. This just goes to show that HIPAA truly is about how it is interpreted, documented, and applied within a given organization.
#3: Healthcare will remain a people-oriented industry.
Healthcare, at its core, will remain a people business. Compliance is much the same—the primary key to a positive culture of compliance is the people who make up an organization. Through the Institute, we discussed the various ways our people impact the healthcare delivery process including compliance. Even with the advent of health information exchanges (HIEs), enterprise data warehouses (EDWs), and health information service providers (HISPs), technology does not mean an automated patient experience. Compliance will still be involved to verify authorizations in the case of third-party PHI disclosure or in cases of mental health, behavioral health, and substance abuse treatment. Additionally, one presenter made the comment that 85 percent of security is related to staff training and diligence, like not writing passwords down on post-it notes, secure and proper destruction of PHI, etc. As long as PHI needs protection to ensure its proper security and disclosure, people must remain a critical component of the healthcare compliance process.
#4: The only constant in life (and the healthcare industry) is change.
The Privacy and Security Institute reinforced the idea that while healthcare has recently seen a lot of change, we can only implement additional change in the future. For instance, the Institute included a lot of conversation regarding Patient Right to Access and patient-directed requests for health information. While the Office of Civil Rights (OCR) issued guidance in 2016, Patient Right to Access has remained the number three cause of complaint and enforcement action in 2016 and 2017. As organizations seek to interpret part of the guidance, OCR may issue additional guidance in the future to continue to clarify their intent. Peggy Lee, Deputy Regional Manager from the Office of Civil Rights, offered the suggestion at the Institute to pay attention to the OCR resolution agreements as a means of guidance. The resolution agreements can highlight current issues the OCR is dealing with, as well as provide a roadmap for organizations to understand where they may need to improve their own compliance. Additionally, compliance and healthcare professionals alike can expect many changes with interoperability and the increasing frequency and methods of data exchange. As the healthcare industry changes and evolves, so will healthcare compliance.
#5: There is always an opportunity to continue learning, and we can all learn from each other.
Our best teachers are each other. With a plethora of options for continuing education from AHIMA in the form of in-person workshops and institutes, webinars, the online Engage community, the Journal of AHIMA, and other books and written materials, there is no shortage of opportunities to expand horizons and learn more about a given topic. But don’t just be passive in your education, speak up! Ask questions, provide your personal experience, and answer another’s inquiry. One of the most helpful and powerful parts of the Privacy and Security Institute was hearing from other people who had been there, such as Nigrin’s Hacktivists presentation and April Carlson’s session on her experience going through an OCR audit. When we participate in conversation, pursue education, and share our experiences, we all help advance healthcare and compliance.
I found the AHIMA Privacy and Security Institute to be incredibly useful and valuable. The sessions were focused and contained practical information I knew my organization could immediately use. While the content presented was thought-provoking it its own right, the larger trends and lessons certainly provide a framework for education not only for our Compliance Team, but as drivers for internal education for our organization for the upcoming year as well. I am already looking forward to the expanded Institute next year.