If your organization handles personal health information (PHI) or personal health records (PHR), you likely already know you’re bound by compliance legislation to protect that data.
In the United States, that’s HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health Act). Depending on where you are in Canada, you’re subject to PIPA, PIA, PHIPA or similar provincial legislation.
Often lost in the alphabet soup, however, are some more familiar letters: the 5 W’s – who, what, when, where, and why.
True, you and your organization have no choice but to comply with personal health regulations. But here’s a refresher anyway—who wouldn’t benefit from brushing up on the reasons why you must be compliant.
Compliance is serious business, and non-compliance can be costly. For example, the Office for Civil Rights—the organization charged with investigating US breaches—offers these sobering statistics:
OCR reports the following most investigated issues:
According to OCR, here are the covered entities that typically have compliance issues (in order of frequency):
Even if you don’t find yourself on that list, however, you may still be laboring under some mistaken beliefs about compliance—beliefs that could cost you if you’re not careful.
No matter who you are or what your organization does, if you manage PHI or PHR you need to do so in a way that complies with relevant legislation. There are several other widespread beliefs about compliance, however, that may be exposing you to risk:
Yes, it may cost money to implement a robust compliance program, but the costs of not doing so are higher. For example, penalties under HITECH, the Health Information Technology for Economic and Clinical Health Act, can reach $50,000 per violation.
Not true—any organization tasked with protecting PHI and PHR can be penalized for violating compliance legislation.
HIPAA is clear here: any person in any organization—working for a covered entity either directly or indirectly—who handles or discloses PHI or PHR is governed by the legislation. Legislation in other countries has similar provisions.
Many organizations have begun to use software suites designed to help them manage compliance. The same applications that help with financial audits, for example, are ready-made to help implement and enforce healthcare compliance.
Most available cloud-based software suites host data in a way that specifically facilitates healthcare compliance. Externally hosting PHI and PHR in and of itself doesn’t make your organization non-compliant.
Think again. Some legislation considers even the lowly phone number to be PHI—best to treat it all as covered.
If you’re struggling with healthcare compliance, software can help. To learn more about whether it might be right for you, Resolver offers several useful write-ups to help you find information about how hospitals use incident management software to stay on top of potential compliance problems.
Baptist Health South Florida, for example, sees about 1500 activities per week, and uses Resolver’s software to capture security reports, mitigate risks, and deploy safeguards to reduce the possibility of an incident like a compliance breach.
Massachussets General Hospital pulls incident information into automatically generated compliance reports.
And London Health Sciences Centre, a large Canadian acute-care facility, uses our software for activity tracking and dispatch, incident reporting, and investigation and case management, gaining perspective in the process.