Running head: HEALTH INFORMATICS COMPLIANCE SURVEY
Health Informatics Compliance Survey
Stephanie Sellers
HI530
Dr. Brina Hollis
November 20th, 2018
1
HEALTH INFORMATICS COMPLIANCE SURVEY
2
Health Informatics Compliance Survey
With the invention of new technologies and processes today’s health care system has
become more complex and diverse from what it used to be in the past. American health care
system has observed big changes in term of its delivery, quality and research. Electronic health
records have expanded a received an abundance of attention within today’s health care system
due to its effectiveness in managing patient records as well as the efficacy.
The purpose of our survey is to assess that our hospital’s internal data dictionary
requirements follow Joint Commission standards. Joint commission standards set patient focused
performance measures which are organized around functions and processes. The Comprehensive
Accreditation Manual for Hospitals (CAMH) published by joint commission has functional data
standards which are necessary to provide care. Hospitals are required to collect and submit data
to joint commission.
During a joint commission survey of any health care organizations activity of tracers is
important which covers most of the survey part. Tracers are done for many reasons like to
evaluate the effectiveness of organizational policies and procedures, to check compliance with
joint commission standards and national patient safety goals, staff competency, implementation
of procedures etc. Our focus is on data management system tracer to check hospital’s internal
data dictionary requirements follow Joint Commission standards. We can survey the data
management processes and systems based on following points.
The questions will be asked to the members belonging to the following the communities.
The communities are Joint Commission, HL-7, ASTM, NCQA, HEDIS, and ACS.
Q1. Is the method of inter-operationality useful enough for the data integration needs?
HEALTH INFORMATICS COMPLIANCE SURVEY
3
Yes, the method of inter-operationally as it will allow for interoperation with the other
services of the organization such as monitoring, provision and security and as well, due to its
accessibility via SOAP and REST APIs. Inter-operationally can facilitate easy and faster mining
of data; the method can pull and as well push out data easily, hence it is useful for data
integration needs.
Q2. Is Joint Commission Accreditation Mandatory?
No, Joint Commission Accreditation is not mandatory since Healthcare organizations,
services and programs usually pursue certification and accreditation voluntarily. As long as the
organization is compliant with CMS, Joint Commission will not be mandatory. However, if it
wishes to receive payments from Medicaid and Medicare programs that are federally funded, it
should consider the accreditation.
Q3. Can feedback collected from the patients improve the performance of the
organization?
Yes, collecting of feedback from the patients can help improve the performance of the
organization. Acquiring information about the experiences from the patients will highlight the
areas that require to be improved and this offers an opportunity to offer a patient-centered
healthcare service (Baldie et al, 2017). Once the patients are satisfied with the services, they will
be willing to come back in future and as well, they will act as advocates by referring their friends
and family to the healthcare facility. Again, with feedback, it would be easier to evaluate or
measure how the healthcare providers perform against the set quality standards and device ways
to help those who underperform to improve.
Q4. How impactful is PHI breach?
HEALTH INFORMATICS COMPLIANCE SURVEY
4
Data breaches can disrupt all the processes of care that are reliant on the health
information technology. PHI breaches have financial implications. The financial costs incurred
in repairing a PHI breach means that resources that would otherwise be utilized in offering
patient care will be diverted. Here, the overall impact will be a reduction in the quality of care
(Choi & Johnson, 2017). For the patients, in cases of medical identity theft, patients can incur
personal financial losses. This causes stress to the patients. In addition, PHI Breaches also
endanger the customer relationships with the healthcare facility. Once a data breach occurs, the
organization risks losing the confidence, trust and the loyalty of their customers. Other impacts
include lawsuits, poor employee morale, penalties and fines paid to regulators and cost paid to
lawyers and external consultants (Choi & Johnson, 2017). Given the depth and the breadth of the
possible consequences and damages of PHI breaches, the need for preparedness, programs, and
education to prevent data breaches is evident.
Q5. Can healthcare accreditation be improved by involving better data integration
methods?
Yes, healthcare accreditation could be improved through the involvement of better data
integration techniques such as Inter-operationally. Data Integration results in better quality care,
and hence it can improve accreditation. With better data integration methods, accreditation
bodies are able to receive and publish performance information about organizations.
Q6. Can entering into BAA can increase accreditation and appliance?
Definitely, entering into a BAA increases accreditation and appliance. The privacy rule
dictates that covered entities obtain satisfactory assurances from their business associates that as
associates, they will satisfactorily safeguard protected health information, which it accesses or
HEALTH INFORMATICS COMPLIANCE SURVEY
5
creates for use by the covered entity. According to HHS’s website, the assurance from the
business associate should be in a form of writing such as a contract or any other agreement. This
ensures that the business associate can be held liable and accountable to repercussions similar to
those of the covered entity under the regulations of HIPAA in case of a PHI breach. Thus,
entering into a BAA facilitates accreditation and appliance as well.
Q7. Will including activity account logs increase the security in the electronic health
records?
Yes, activity account logs act as a kind of metadata that is commonly referred to as data
about data. They are generated automatically in computers for electronic documents like
electronic health records. They can help increase the security for the Electronically stored health
records since they chronologically identify or trace the a) time and date when a record was used
or changed, b) identifies the specific user c) type kind of action on the data whether revising,
printing or entering data, and d) the specific data that is being accessed. They thus can facilitate
auditing that can aid detection of a PHI breach.
Q9. How well has the HIPAA been accepted by the different healthcare organizations in
the country?
In its initial years after being established, HIPAA was opposed by many healthcare
organizations, as they believed that it would render them bankrupt and as well, hinder research
work. They thus argued that it would paralyze the healthcare industry. Even today, there are still
some critics that are cried out against the HIPAA. Some even cite the availability of laws that
allow Business associates to access HPI as a threat to patient’s privacy. They claim that the same
function of that HIPAA does could be done by state laws, which they say were stricter. Overall,
HEALTH INFORMATICS COMPLIANCE SURVEY
6
HIPAA is not widely accepted by the healthcare organizations as it is associated with so much
‘cost of compliance'
Q10. Are the critical rules of HIPAA followed religiously in the electronic health records
of the medical organizations?
No, the critical rules of HIPAA are not followed religiously as there have been HPI
breaches reported often in healthcare organizations. HIPAA violations regarding electronic
health records are indeed a major concern for the ever-evolving healthcare industry.
Q11. Has introducing HIPAA in the electronic health records systems improved the data
security in the healthcare organizations?
Yes, according to Solove (2013), patients report that they have trust in HIPAA as offering
the privacy of their personal information. In reality, HIPAA body has actually enhanced access
to improved care through offering the assurance of data security as well as privacy to patients.
Q12. According to you, which is more beneficial the disposal system or the data back up
and story requirement in HIPAA?
To me, the data back up and story requirement in HIPAA is more beneficial. This is
because electronic data that has been backed up can be easily retrieved whereas once disposed
of, it cannot be retrieved.
Q13. Is the inter-operationality data integration strategy aligned with the HIPAA
compliance followed in the healthcare organizations?
Yes, since the method of inter-operationally allows interoperation with the other services
of the organization such as monitoring, provision, and security, it is in line with HIPAA
HEALTH INFORMATICS COMPLIANCE SURVEY
7
compliance rules. Better connectivity between the services implies better communication and
thus better service and compliance. It also ensures there is a standardized system service quality,
hence boosting quality, along with compliance.
Q14. Are audit controls helpful enough in improving the quality of the data stored in the
electronic health systems?
If we were in a perfect world, the use of application controls alone could guarantee
security and privacy of ePHI. However, there are complexities in today’s healthcare industry and
environment and it is challenging to allow limited access to healthcare information and expect
members to perform their jobs adequately. If employees do not have access to some portions of a
patient's record, their job could be impaired in terms of effectiveness. Therefore, organizations
should develop and make use of security audits, along with appropriate procedures and policies
to hold employees accountable for their own actions when accessing patient data via electronic
health records. By performing security audits through audit logs and audit trails, they are able to
identify system threads of modifications, access, and transactions. audit controls are helpful
because they help detect any unauthorized access to the patient’s information, inculcate a culture
of accountability and responsibility, offer forensic evidence in cases of investigations, tracks any
disclosure of PHI, detects intrusion attempts and new threats, and addresses compliance with
accreditation and regulatory requirements.
Q15. Has the occurrence of the HIPAA platform on the mobile phones increased the ease
of accessing the information in the electronic health records?
Yes, with the ubiquitous use of mobile phones, accessibility of data and information in
electronic health records has become easier.
HEALTH INFORMATICS COMPLIANCE SURVEY
8
Q16. What are the different implications of HIPPA on the patients and on the different
healthcare organizations?
a. There are cost implications, or what may be referred to as ‘cost of compliance’ or even
‘cost of noncompliance’
b. Patients are assured of their privacy and this increases their willingness and trust to
access healthcare from covered organizations
Q17. According to you, do the healthcare workers have enough knowledge of the HIPAA
compliances?
I could say that not all healthcare workers who have adequate knowledge of HIPAA
compliances. Organizations still need to cultivate in their employees the culture of compliance
with HIPAA by educating them about the compliances and making them aware of the
importance of complying.
Q18. What are the improvements that need to be made in the present compliances of
HIPAA?
Most organizations still do not encrypt ALL stored PHI. This, along with the prevalence
of hacking and malware, is a major threat to both the organizations and the business associates.
Thus, organizations should improve on their data encryption to make sure that ALL their ePHI is
encrypted with use of AES-256 encryption or even any other strong and accepted encryption.
Further, the organizations should ensure that all data that needs to be moved is transited on an
encrypted connection like TLS and HTTPS. There is also a need for improvement in terms of
‘human element'. This can be done by ensuring that all employees are well trained about the need
for compliance and as well, on some security tricks to always ensure the ePHI data is safe from
HEALTH INFORMATICS COMPLIANCE SURVEY
9
hackers and malware. Another issue is BYOD policies that organizations have whereby they
require employees to come to work with their personal devices. This needs to be avoided as
endangers PHI since such machines are moved home to unsecured networks. Lastly,
organizations need to ensure that business associates sign BAA before any engagement and
make the associates be aware that compliance and security is the top priority (Nass et al, 2009).
Q19. Is the Privacy rule followed diligently in the HIPAA compliance followed by the
different healthcare organizations?
The privacy rule is not diligently followed, as they are many violations that are reported.
Breaches have continued to increase in frequency and penalties as well.
Q20. Has emailing and messaging increased the awareness regarding HIPAA compliance
among the patients and the doctors?
Yes, messaging and emailing has improved awareness about HIPAA compliance among
doctors and patients.
Conclusion
To sum up, with adequate education and training of the employees on matters
compliance and why it is important to comply, the organization can be able to comply with or
rather meet the internal data dictionary. Further, by use of internal audit controls, a culture of
accountability and responsibility can be inculcated within the employees such that they make
privacy, security, and compliance a top priority. In addition, training can also enlighten everyone
about the need to comply with external accreditation and compliance bodies in regard to ePHI
data management. The data format used in the organization also satisfies the hospital’s data
integration essentials since it is already electronically stored and encrypted.
HEALTH INFORMATICS COMPLIANCE SURVEY
10
References
Baldie, D., Guthrie, B., Entwistle, V., & Kroll, T. (2017). Exploring the impact and use of
patients’ feedback about their care experiences in general practice settings—a realist
synthesis. Family Practice, 35(1), 13-21. doi: 10.1093/fampra/cmx067
Barney, B. (2018). 5 Tips to Improve HIPAA Compliance in 2018. Retrieved from
https://www.securitymetrics.com/blog/5-tips-improve-hipaa-compliance-2018
Choi, S., & Johnson, M. E. (2017). Do Hospital Data Breaches Reduce Patient Care
Quality? In Presentation at the 14th Workshop on the Economics of Information Security,
La Jolla, CA, June (pp. 26-27).
King, J., & Williams, L. (2012). Secure Logging and Auditing in Electronic Health Records
Systems: What Can We Learn from the Payment Card Industry Position Paper. Usenix
HealthSec’12.
Moreno-Conde, A., Moner, D., Cruz, W. D. D., Santos, M. R., Maldonado, J. A., Robles, M.,
&Kalra, D. (2015). Clinical information modeling processes for semantic interoperability
of electronic health records: systematic review and inductive analysis. Journal of the
American Medical Informatics Association, 22(4), 925-934.
Nass, S. J., Levit, L. A., & Gostin, L. O. (2009). HIPAA, the Privacy Rule, and Its Application to
Health Research.
Parimbelli, E., Sacchi, L., & Bellazzi, R. (2016). Decision Support through Data Integration:
HEALTH INFORMATICS COMPLIANCE SURVEY
11
Strategies to Meet the Big Data Challenge. EJBI, 12(1).
Solove, D. (2013). HIPAA Turns 10: Analyzing the Past, Present and Future Impact. Retrieved
from http://library.ahima.org/doc?oid=106325#.W_QLWegzbIV
Wang, Y., Kung, L., Wang, W. Y. C., & Cegielski, C. G. (2018). An integrated big data
analytics-enabled transformation model: Application to health care. Information &
Management, 55(1), 64-79.