3 common risks to healthcare compliance
From Internet-connected heart monitors to video-enabled consultations and vast internal data repositories, the rapid penetration of digital technology into the healthcare sector has radically altered how healthcare professionals work with patient data.
As positive as this is, one drawback is that many healthcare organizations and medical professionals are uncertain about how to handle patient data. High profile cases of data breaches continue to prove a reminder of the value of thorough and easy-to-use compliance processes.
Trust will always remain at the heart of doctor/patient relationships as such what can healthcare organizations do to ensure they meet compliance requirements on a consistent basis? And what are the key risks to avoid?
At Nintex, we recently published a whitepaper on compliance in the healthcare sector: The healing process: How automation can help the healthcare industry improve compliance, which explores some of the common risks to healthcare compliance in depth.
Another day, another historic fine
High profile cases of data breaches continue to make headlines. A recent example with real significance involved the health insurer Anthem Inc., which, in June 2017, agreed to pay a $115 million settlement after hackers stole personal information from their databases back in 2015. The settlement, which is yet to be approved by a U.S. District Court in California, will become the largest data breach settlement in history.
The hack affected 78.8 million files made up of personal information including names, birthdates, email and home addresses, Social Security numbers, and employment information of tens of millions of people. These included Anthem’s current and former customers, as well as their own employees.
It is believed that the hackers may have sold (or at least intended to sell) this information on the black market. The victims could be affected for years to come.
Healthcare and data protection
Trust and privacy have always been central to doctor-patient relationships—in the present day this has extended to any healthcare organization that handles sensitive information. Many physicians and other healthcare professionals wonder if the world of Big Data and cloud storage could potentially lead to new frictions in such an important relationship.
Cases like Anthem’s 2015 breach emphasize the importance of data protection laws, both in terms of the real effects of data breaches on the lives of the victims and the cost for organizations who fail to comply. The healthcare sector seems to be a regular target for hackers.
It’s also vulnerable to ‘break points’—where data is managed incorrectly and leads to unintended breaches, leaks or sharing of private information. These break points are especially likely to occur in the healthcare sector due to the vast scale of the data transferred between patients and healthcare organizations.
Over a billion medical visits happen each year in the United States alone. That’s a staggering amount of personal data to protect.
In recent years, several rules and regulations have been introduced to safeguard patients’ private data. These include the HITECH and HIPAA acts in the United States or the Regulation of Health Information Privacy in Australia to name just a few, and the onus is on organizations to ensure that personal data is safe and secure.
Although high-profile hacking and cybercrime grabs all the headlines, it’s the unintentional data breaches that are more of a pressing concern to most in the industry.
3 compliance ‘break points’
The variety and diversity of the new regulations have overwhelmed many medical professionals. With some doctors admitting that they lack confidence about what they can and cannot do with their patients’ data. According to a survey in HIPAA Journal, two thirds of healthcare professionals are uncertain about the best way to share data.
A combination of the high-pressure hospital environment and the expectations that busy doctors and nurses use ‘manual’ processes to handle patient data is leading to unintended leaks – most of which could have been easily avoided.
For instance, when clinicians refer patients to a specialist, they may have to download a document and send it out via email. Some even print these documents out and post them.
There are three main break points where unintended leaks are likely to occur:
1. Sharing information
Physicians need to share information about their patients with other professionals. When transferring details about a patient to a surgeon before an operation, for example. Shared via the cloud or by email, there is room for information to be misplaced.
As our whitepaper summarizes:
“Information can become duplicated, emails can be forwarded accidentally and the wrong people might get access to the [file hosting service] a few months down the line and discover private patient data.”
2. Contacting patients
Physicians reach out to patients all the time for a variety of reasons. Whether to confirm appointments or to deliver test results, the information involved is usually highly sensitive. When done manually, via email or text messages, there is a risk that personal information could find its way into the wrong hands.
As the whitepaper explains:
“Letters can be sent to the wrong address, emails can be sent to the wrong person who has the same name, text messages sent to the wrong phone number.”
3. Multiple systems
Patient data is normally stored in multiple different systems at any given time. Not only does this makes it difficult for doctors to piece together a patient’s history but it can lead to sensitive information being stored incorrectly.
Our whitepaper states:
“From emails to paper files held in different departments, [as well as] servers and utilization of nonauthorized data storage systems, pulling together a complete view of a patient can be surprisingly hard.”
A solution: Workflow automation
The key to compliance is to ensure that processes are followed consistently. The most effective way to guarantee this is to set up automated processes, which will shoulder most of the responsibility currently falling upon busy physicians. Automation, wherever possible, is a must.
