The 5 W’s of Healthcare Compliance

If your organization handles personal health information (PHI) or personal health records (PHR), you likely already know you’re bound by compliance legislation to protect that data.

In the United States, that’s HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health Act). Depending on where you are in Canada, you’re subject to PIPA, PIA, PHIPA or similar provincial legislation.

Often lost in the alphabet soup, however, are some more familiar letters: the 5 W’s – who, what, when, where, and why.

True, you and your organization have no choice but to comply with personal health regulations. But here’s a refresher anyway—who wouldn’t benefit from brushing up on the reasons why you must be compliant.

Why does compliance matter?

Compliance is serious business, and non-compliance can be costly. For example, the Office for Civil Rights—the organization charged with investigating US breaches—offers these sobering statistics:

  • Since HIPAA compliance became mandatory in April 2003, more than 130,000 complaints have been made against covered entities—national pharmacy chains, major medical centers, group health plans, hospital chains, and small providers—and their business associates.
  • Close to 25,000 of those cases required changes in privacy practices or other corrective actions.
  • In 33 cases, OCR levied civil penalties totaling more than $33.6M.

What does non-compliance look like?

OCR reports the following most investigated issues:

  • Using or disclosing protected health information in a way that runs counter to legislation
  • Placing improper safeguards on protected health information
  • Not giving patients access to their own protected health information
  • Using or disclosing more protected health information that is absolutely necessary
  • Improperly putting administrative safeguards of electronic protected health information in place

Who is most often non-compliant?

According to OCR, here are the covered entities that typically have compliance issues (in order of frequency):

  • Private practices
  • General hospitals
  • Outpatient facilities
  • Pharmacies
  • Health plan (group health plans and health insurance issuers)

Even if you don’t find yourself on that list, however, you may still be laboring under some mistaken beliefs about compliance—beliefs that could cost you if you’re not careful.

What are common misconceptions about compliance?

No matter who you are or what your organization does, if you manage PHI or PHR you need to do so in a way that complies with relevant legislation. There are several other widespread beliefs about compliance, however, that may be exposing you to risk:

Compliance is expensive

Yes, it may cost money to implement a robust compliance program, but the costs of not doing so are higher. For example, penalties under HITECH, the Health Information Technology for Economic and Clinical Health Act, can reach $50,000 per violation.

Compliance is only for big companies

Not true—any organization tasked with protecting PHI and PHR can be penalized for violating compliance legislation.

Only certain employees need to worry about compliance

HIPAA is clear here: any person in any organization—working for a covered entity either directly or indirectly—who handles or discloses PHI or PHR is governed by the legislation. Legislation in other countries has similar provisions.

There’s simply too much to keep track of.

Many organizations have begun to use software suites designed to help them manage compliance. The same applications that help with financial audits, for example, are ready-made to help implement and enforce healthcare compliance.

Software is out of the question if you don’t have the infrastructure to host data on-site.

Most available cloud-based software suites host data in a way that specifically facilitates healthcare compliance. Externally hosting PHI and PHR in and of itself doesn’t make your organization non-compliant.

Only a certain kind of data is covered by legislation.

Think again. Some legislation considers even the lowly phone number to be PHI—best to treat it all as covered.

Where should you go from here?

If you’re struggling with healthcare compliance, software can help. To learn more about whether it might be right for you, Resolver offers several useful write-ups to help you find information about how hospitals use incident management software to stay on top of potential compliance problems.

Baptist Health South Florida, for example, sees about 1500 activities per week, and uses Resolver’s software to capture security reports, mitigate risks, and deploy safeguards to reduce the possibility of an incident like a compliance breach.

Massachussets General Hospital pulls incident information into automatically generated compliance reports.

And London Health Sciences Centre, a large Canadian acute-care facility, uses our software for activity tracking and dispatch, incident reporting, and investigation and case management, gaining perspective in the process.