In this new 24/7 365 digital universe that we all now inhabit there are three principal challenges that must be addressed when launching any new compliance initiative: 1) the people challenge; 2) the process challenge; and 3) the platform challenge. Although a successful HITECH/HIPAA compliance initiative certainly will have a well defined platform component, the success of the initiative depends mostly on meeting the people and process challenges. That is, the principal challenges are not technology centric, but rather have much more to do with how an organization thinks about compliance and hows its processes interact with the platform.
The first thing to recognize is that these are still uncharted waters, despite the volumes that have been written about the HITECH Act("HITECH"). The fact of the matter is that prior to HITECH, HIPAA was an unenforced paper tiger, and most industry insiders knew it. Now under HITECH, there is a generalized sense in the healthcare industry that something important is happening with respect to privacy and security, but not many (perceived) useful maps that will lead to the promised results. If, as is widely recognized, technology in and of itself is not the answer, then what is? Our compliance processes should be underpinned by a methodology that requires a change in your organization's HIPAA compliance mindset in order to be successful. Without a change in the organization's compliance DNA, full compliance with the regulations will remain elusive and (as is the case now) illusory.
Even if an organization clearly recognizes that it must change the way it thinks about compliance in order to achieve its compliance objective, it must also recognize the need to change how it implements the compliance processes that underpin its policies. That is, an effective compliance program requires a change in internal processes. All of us become extremely attached to our work processes and we all find it disconcerting when they change. It is important to recognize just how powerful our innate resistance to change is, because we cannot ignore it and hope to overcome it simultaneously. Resistance to change is how we are wired, and it often serves us well. There is more than a little wisdom in "if it's not broke then don't fix it."
However, our resistance often persists even when we know what we are doing is broken.Why is that? The answer to this question probably could fill a PhD dissertation (i.e. one which we are unqualified to deliver) and so we offer only a simple (thought hopefully not simplistic) response: we resist change even when we know our processes are broken because we have a hundred and one reasons why we believe that the new processes won't work. The truth is we are partly right. The processes that will work will only evolve over time, likely after some false starts, and therefore the compliance methodology that we select must be malleable. Any attempt to substitute one rigid set of processes with another has a low probability of success.
HIPAA regulatory compliance is by definition a wicked problem. There is simply no one right way to go about it, nor any one-size-fits-all off the shelf solution. Our products are prescriptive. They do in fact provide detailed compliance "how to" information, but with the understanding that each organization's implementation is likely to vary. Therefore, we provide a suite of products that are readily customizable to processes that will work within your organization.
Our use of the term “Platform” refers to the combination of hardware, software and other connectivity options that makeup the existing computing infrastructure within your organization. Obviously, some Platform components (e.g. Expresso) play a direct, conspicuous, role in your compliance initiative. Also, for example, the logging functionality included in your EHR application helps you meet one of the Security Rule's requirements. Likewise an EHR application's requirement that strong passwords be used does the same. Many examples can be found where this is the case. However, it is important to keep in mind that there is no such thing as a HIPAA compliant product or service. Only covered entities ("CEs") and business associates ("BAs") can be HIPAA compliant. There are no third party products, or set of products, that are magically going to solve your compliance challenges.
Platform considerations have become even more important now that knowledge workers are increasingly more “distributed” and mobile—requiring anywhere/anytime access. The Platform needs to be as reliable as the nation’s electric grid so that users (and patients) can “plug in” on demand. It needs to be securely available 24/7 and 365 days a year. It needs to do all of this while maintaining the confidentiality of the PHI contained within it. This is no small feat. CEs and BAs of all sizes continue to struggle mightily to meet their compliance objectives. However, despite real Platform challenges, technologies exists, and are becoming more economically accessible each day, that will help you meet your compliance objectives. And, as discussed above, you are far more likely to be out of compliance due to people and process challenges than due to a lack of affordable enabling technologies.
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free).