By Carol Amick, manager of healthcare services, CompliancePoint.
According to the United States Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.
According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.
Analyze the past, to avoid making the same mistake twice
It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.
Perform a risk assessment and GAP analysis
One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a GAP analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization, and puts them at a significantly higher risk. According to HHS and OCR guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.
A HIPAA GAP analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.
Amazon announced that a version of their virtual assistant technology, Alexa, is now HIPAA-eligible. This means it’s available for applications that are subject to the data privacy and security requirements of HIPAA. The new HIPAA-eligible version of Alexa, specifically the Alexa Skills Kit, is now available to a limited number of developers by invitation only.
Why?
Amazon has seen increasing interest in Alexa’s potentialto serve as a virtual healthcare assistant. While devices like PCs, tablets, and smartphones have contributed to advances in healthcare, they’ve been problematic for some aspects of patient engagement – particularly among the elderly and others whophysically cannot – or will not – use them.
The idea of a smart, always-available, hands-free, voice-powered virtual assistant that can answer questions, deliver medication reminders, facilitate communication with one’s doctor, provide health coaching, and more, has piqued the interest of the healthcare community. Amazon has responded.
What’s different
Until now, Alexa’s use in healthcare has been mostly limited to questionanswering services – voice apps, or “skills” in Alexa parlance, that answer general questions about health conditions, treatments, symptoms, etc. Amazon Echo users, for example, canaccess health benefit information from a skill like Answers by Cigna, or tap into one of many symptom checkers in the Alexa marketplace. The big change is that Alexa can now be used in certain applications that collect and transmit protected health information (PHI).
Thisopensa whole new world of voice applications beyond basic Q&A, such as remote patient monitoring population health, medication adherence and clinical trial optimization. It seemed inevitable that voice assistants like Alexa and smart speaker-equipped devices like the Amazon Echo would find their way into clinical applications. Amazon’s announcement confirms this.
Beware
Organizations must understand the full range of issues surrounding the “what, why and how” of securing, voice-first healthcare applications. HIPAA is just the start. There is no formal certification process for HIPAA, and it applies only in the U.S.Also, many healthcare IT departments use other industry standards or ?have created their own standards for data privacy and security. In their eyes, completely securing a voice application may go well beyond ensuring that a service provider will sign a HIPAAbusiness associate agreement. Issues like user authentication, data privacy in shared spaces,network and device hacking, secure system integration (e.g. with an EHR), should all be addressed.Continue Reading
By Amy Perry, director of product marketing, OpenText.
The pace of digital transformation today is increasing rapidly, with more industries jumping on the bandwagon to adopt new technologies which recast workflows. New solutions powered by artificial intelligence and machine learning are enabling machines to handle processes once cumbersome to employees.
In fact, the rate of this shift is so pronounced that according to Deloitte, the average digital transformation budget has increased by 25 percent over the past year, from $11 million to $13.6 million. More than half of mid-sized and large companies are spending more than $10 million on these efforts.
While this is a trend impacting almost every industry, it presents unique challenges to the healthcare sector. One of the most important challenges digital transformation extends to healthcare professionals is in the area of interoperability. As the sheer amount of health-related data, along with the ways to transmit and store this data, continues to increase, the ability of healthcare organizations to juggle the free flow of information between the patient’s care team and the patient is becoming more vital. At the same time, healthcare providers must ensure the highest levels of patient data privacy.
Unsurprisingly, most healthcare providers are preparing for this challenge. According to a new survey of healthcare IT professionals conducted by OpenText in conjunction with IDG Research, 85 to 94 percent of healthcare organizations are either actively investing or are planning to quickly invest in interoperability infrastructure to provide more intelligent and connected healthcare. While this intent is a great starting point, the journey can still be challenging for organizations of every size.
Ensuring a more free flow of information between providers to enhance the patient experience while simultaneously adhering to HIPAA’s privacy mandates may initially seem impossible to many teams. A wider embracement of paperless fax solutions across the industry could provide a data-centric solution which allows organizations to further interoperability goals while also ensuring that patient privacy remains paramount.
Paperless fax gains momentum
The evolution to fax stems from HIPAA guidelines mandating all patient information be securely stored and communicated. Tools such as email lack essential regulatory compliance and must be shelved in favor of other forms of communication, such as secure fax. While paper-based fax has become almost obsolete in other industries, it is still heavily used in healthcare despite causing some roadblocks to efficient communication. Paper-based fax requires a labor-intensive process that results in limited access to patient information at the point of care and slower care coordination between providers. Though these shortcomings are widely recognized among healthcare professionals, nearly half of patient information is still being transmitted by paper-based fax.
Findings from the same survey confirm momentum in paperless fax technologies. According to survey respondents, 50 percent of all medical communications continues to be done via some form of fax, but paperless faxing surpasses paper-based faxing in terms of medical communications volume. Among this, a significant majority of the survey respondents showed favorability to paperless faxing because of its digital integration capabilities.
Seventy-six percent of respondents either agreed or strongly agreed with the statement that they are happy with their current paperless faxing method because it’s integrated with their electronic medical record (EMR), back-end system, or other applications. By integrating digital faxing with EMR, document management systems, and clinical applications, a paperless fax solution becomes the most connected device in an organization, optimizing patient information exchange, reducing costs, and increasing productivity.
The catalyst for future patient information exchange
In addition, a favorable attribute to paperless faxing is that it provides a much more secure form of patient information exchange and surpasses the requirements of HIPAA’s Protected Health Information privacy rule. As new interoperability tools based on standards for the secure transmission of patient records are considered across many healthcare organizations, health providers can leverage their existing paperless fax solution to transition to modern, secure, and interoperable exchanges of patient documentation that are integrated across systems and applications.
Ultimately, the study’s findings show technology has reversed the death knell many initially thought had struck the fax industry. In fact, instead of being a siloed or time-consuming way to share information, new paperless fax technologies are helping eliminate these inefficiencies by shortening the time it takes to get patient information to the right provider and facilitating faster access to critical information at the point of care. Implementing a cloud-based delivery system is an attractive step as organizations move to the adoption of digital transformation. Healthcare providers must modernize legacy systems and embrace these new technologies to stay at the forefront of the industry and meet patients’ growing expectations.
By Drew Ivan, EVP of product and strategy of Rhapsody.
It was generally recognized by 2009 that the health care industry was long overdue when it came to adopting electronic systems for storing patient data. At the time, hospital adoption of electronic health record (EHR) systems was at about 10 percent while electronic record keeping was commonplace in most other industries. EHR technology was widely available, yet doctors and hospitals were still using paper charts.
The HITECH Act of 2009 was part of a broader stimulus package that financially nudged hospitals and eligible professionals to adopt and use EHRs. The meaningful use incentive program began a national, decade-long project to adopt, implement, and optimize EHR software. The program was a huge success, judged by the most obvious metric, EHR adoption. Today, nearly 100 percent of hospitals are using electronic health records. This means that records are safe from physical damage, far easier to analyze and report on, and – in theory at least – easier to transfer from one provider to another.
However, when viewed through the lens of return on investment, the success is less impressive. The federal government has spent $36 billion to encourage providers to adopt EHR systems but the industry has spent far more than that to procure, implement and optimize the software. Yet, hospitals are seeing reduced productivity, doctors face a huge documentation burden, and interoperability remains an unsolved problem. The first two problems are the consequence of workflow changes brought on by the EHR systems, but interoperability roadblocks ought to have been eliminated by implementing EHR systems, so why is it still so difficult to transfer records from one provider to another, or from a provider to the patient?
Health IT experts generally consider three categories of obstacles to interoperability:
Business disincentives: allowing medical records to move to a different provider makes it easier for patients themselves to move to another provider, and helping customers switch health care providers is contraindicated by usual business practices (even though HIPAA states that patients are entitled to receive copies of their medical records and may direct copies of their records to be sent elsewhere.)
Technical challenges: Meaningful use set a fairly low bar for cross-organizational data exchange requirements, and it did little to ensure that EHR systems could understand data sent from another system. Although these problems are largely resolved today, there is still the impression that “interoperability is a hard technical problem”.
Network effects: point-to-point connections between providers are impractical, but the network approach also has its drawbacks. The assortment of HIEs and national interoperability initiatives is huge and confusing, and it’s not obvious which network(s) an organization should join.
There may have been an assumption that when medical records moved from paper to electronic format they would immediately become more interoperable, but by 2016, the level of interoperability was far below what patients and regulators expected. As a result, the 21st Century Cures Act of 2016 was passed by Congress and signed into law by the outgoing Obama administration. The law’s scope included a number of health care priorities, including a patch for the interoperability gap left by Meaningful Use. Cures explicitly forbids providers, technology vendors, and other organizations from engaging in “information blocking” practices.
Earlier in 2019, the Office of the National Coordinator for Health IT (ONC) issued a notice of proposed rulemaking (NPRM) that defined exactly what is (and what is not) meant by “information blocking.” Once adopted, the expectation will be that a patient’s medical records will move according to the patient’s preferences. Patients will be able to direct their data to other providers and easily obtain copies of their data in electronic format.
It is not uncommon, in today’s age, to do large amounts of personal business online. This includes discussing or sharing medical records. You may think that any place that shares your medical records online would invest in intense digital security, but you would be surprised.
It takes just a small mistake on the part of the health organization working with your records and your data can be breached. In fact, there have been multiple examples of large medical organizations allowing thousands of patient’s information to be leaked.
In 2010, Columbia University Medical Center and New York-Presbyterian Hospital were victims of cyber security attacks involving the theft of close to 6,800 patient records. A Temple University doctor had his laptop stolen which contained the private medical files of nearly 4,000 patients. These are just two of way too many examples.
Part of the problem is that these records are being protected by individual not properly trained in digital security. Medical professionals all know about HIPAA (Health Insurance Portability and Accountability Act) — a US law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals and other health care providers.
They know that you don’t share medical information to anyone that isn’t approved of in writing by the patient. But even that standard is often broken by some medical professionals. So, if some people in the medical industry are willingly leaking information, just imagine how often information is leaked accidentally.
So, what can you do? As with most instances of digital security, it is best to take matters into your own hands. The only person who will always, 100 percent of the time, advocate for you – is you. It is vital that you do everything you can to protect yourself and your data when going online. This can prevent others from ascertaining your location, medical data, personal data, and much more.
Let’s take a look at a few ways that you can protect yourself in the digital realm:
Be aware with whom you are communicating
It might be obvious that you shouldn’t send personal information to strange email contacts or social media profiles, but not everyone considers the authenticity of medical websites. Often times people will look up medical advice and find themselves sharing personal details with any random website that offer to let you chat with a “real” medical professional.
These websites can not only put your medical information at risk but also your credit card information since we guarantee you won’t get to chat with anybody without coughing up your card number.
Beyond that, it is also important to consider the applications your medical facility is using to share your information. Before agreeing to access your data digitally, look into the software they are using to ensure it is considered respectable and safe.
By Brad Spannbauer, senior director of product management, eFax Corporate.
When it comes to cybersecurity, healthcare organizations are up against a constantly shifting threat landscape. New technologies and techniques, employed by increasingly advanced criminals, require organizations to be proactive in their defense efforts, or they risk being outsmarted by those who seek to expose them. But security threats don’t just come from external sources; risks are just as prevalent within organizations. In fact, the latest edition of Verizon’s Data Breach Investigations Report found that healthcare is the only industry where insiders pose the greatest threat to sensitive data, with 58 percent of incidents coming from within.
Whether malicious in intent or the result of innocent mistakes by healthcare workers doing their best in a high-stress environment, a failure to recognize these risks and apply appropriate safeguards can have grave consequences for healthcare providers. For example, an IBM & Ponemon Institute study revealed that healthcare data breaches cost organizations $408 per record on average, which is more than three times the global average across all other industries. That may not seem like a lot of money, but multiplied by the thousands of records that could be contained on a stolen and unencrypted laptop, it adds up to a significant financial penalty.
Software testing and quality assurance have grown in critical importance for companies. Over the few years, it has established itself as a formidable career choice which is unlikely to stop anytime soon. Now as the name implies, quality insurance is all about maintaining “high quality” on a constant basis. And it isn’t surprising at all to see the concept making its way to the core of several industry verticals including the healthcare.
Quality monitoring is gaining momentum for purchasers, patients, and providers who strive hard to evaluate the value of health care expenditures. Over the past decade, science has evolved in regards to quality measurement despite a few challenges that might be a counterforce to the demands of cost containment. Well, the following post explores those crucial challenges that must be addressed in the Healthcare sector. But before that let’s take a bit of a detour which will eventually lead us to the answer.
Why the healthcare sector needs QA and testing
Speed and quality are one of the core essentials that tend to serve the healthcare industry more efficiently leading to a significant amount of inventions and advancements. One of the best examples showing how digitalization is becoming more capable of transforming the industry is that more and more number of people and devices are found connected to deliver meaningful interference from the data generated.
Technology is the best support system where different kinds of applications are created to deliver best services even at a distant. A sudden increase is found in the growth of healthcare products such as wearables, followed by applications especially the ones being associated with them. It may quite interest you to know that these can be termed as products featuring a big market and will continue to have a tremendous impact on the economy even in the upcoming years. Down below I would like to mention a few reasons stating why QA testing tools and testing are crucial in the healthcare industry.
#1 Big Data Testing in Healthcare: Because of being well associated with tons of information related to their patient’s health conditions, the healthcare industry is believed to be one of the most highly data-intensive sector. Several healthcare institutions and the associated segments to devise the right strategy building the right and relevant kind of products. Initially invented to derive the right interferences and the data point big data testing also helps in making certain decisions in regards to drug inventions, disease cure, and the last but not the least research and development. These decisions are some of the best and informed ones that anyone could take.
#2 Security of applications: I am sure you will agree with me when I say that healthcare websites have the most sensitive kind of the data about their patients and their health-related information. By security testing and penetration testing, we can make the websites, as well as applications, hack proof and sustainable especially in challenging a digital scenario. It is very important to conduct quality assurance and testing to ensure security to all such applications.
#3 Usability testing in healthcare: Usability testing is the most required in the health care industry. However, there are various features and the user scenarios that a pharmacist or a nurse can continue to face during their working hours. Do you think these tasks are of prime importance? Absolutely not! In fact, they can be eased with the help of automation, adding in more number of features that will help to simplify the entire process.
QA Challenges in Healthcare Apps
Healthcare industry has also started to introduce mobile platforms across the care delivery cycle, creating a voluminous medical app market. Further, we have extracted a few QA challenges concerning testing and healthcare mobile apps and how to get over them.
Challenge #1 Users and their expectations
Software usability has been a core element in the healthcare industry. Look at those EHR systems; it is very important to come up with something that not just offers accurate physical records but also aggregate physical activity recommendations with nutrition tracking. While testing a mhealth app, thinks about situations which patients may need it. During critical cases, older patients can make the most of condition management app that aids well in finding what their actual condition is and tap the emergency call button at an extreme point.
In addition to this, healthcare mobile apps have the potential to influence the stakeholders this includes patients, caregivers, care team members, administrative staff, insurers and more. The app should adequately support their workflows, so QA specialists need to get a good picture of basic user needs. Let’s say for example if the patient likes to connect his or her smartwatch to the app to monitor heart rate while exercising or if a physician would like to review his patient’s treatment plan progress remotely.
Healthcare organizations face unprecedented compliance challenges when it comes to managing business associate agreements (BAAs) amid frequent data breaches, heightened federal scrutiny and anticipated privacy legislation. Actions by the Office for Civil Rights (OCR) have clearly demonstrated stricter enforcement of HIPAA rules in recent years, and the industry has already witnessed a notable uptick in public shaming and fines associated with missing just a single BAA.
In December 2018 alone, OCR announced two notable settlements. Advanced Care Hospitalists (FL) entered into a $500,000 no-fault settlement with OCR, and Pagosa Springs Medical Center (CO) agreed to pay $111,400, both for missing a single BAA.
Simply put, BAAs have become a cornerstone of OCR compliance initiatives. And the outlook is not likely to change as trends point to continued advancement of privacy laws. As of close of 2018, 12 states had already updated their privacy laws regarding notification to patients, shortening the standard 60 days from the federal guidelines to 45 days, and in some states (CO, FL), the breach notification window is down to 30 days.
Breaches involving protected health information (PHI) are typically reported publicly at the Covered Entity (CE) level. When a breach involving a third party, or Business Associate (BA), occurs, one of the first things the federal government investigates is whether a BAA is in place with the CE. If a BAA does not exist, it typically sets off a chain reaction of investigations into other areas of HIPAA compliance.
While most headlines related to BAA compliance relate to CEs, HIPAA experts predict that 2019 will usher in greater focus on BAs and their management of these agreements as well. Many believe that unprepared BAs—especially small and mid-sized companies that lack resources to address HIPAA compliance—will become targets, increasing industry concern over proper BAA compliance.
Healthcare’s BAA management conundrum
Today’s healthcare organizations are feeling the heat, yet most are challenged to effectively manage BAAs due to limited resources for reviewing and managing massive and growing numbers of these agreements—reaching upwards of several thousand in larger organizations and health systems. Exacerbating this challenge is the current consolidation trend, which creates a fragmented landscape for BAA oversight that extends across multiple departments, facilities, affiliations and a multitude of different owners.
Consequently, manual, inconsistent workflows common to BAA management in today’s organizations open the door to significant risk. In truth, the most basic information often eludes the executive suite in most CEs and BAs, including the total number of existing agreements, where they are located and the terms of each.
BAAs are also the subject of intense negotiations between CEs, BAs and other subcontractors that often result in obligations that go beyond HIPAA and HITECH, causing contractual obligations to vary significantly between agreements. Subsequently, when organizations need to know the terms of these agreements, they must manually extract the information one agreement at a time. Within a framework of manual processes, the resources required to conduct this kind of data extraction across hundreds or thousands of BAAs is simply unfeasible for many organizations.
Yet, compliance professionals need quick and easy access to this information to ensure optimal response to breaches, which have become the norm for healthcare organizations as opposed to the exception. Consider the findings of a 2018 Black Book Market Research study: 90 percent of healthcare organizations have experienced a data breach since the third quarter of 2016, and nearly 50 percent have had more than five.