Running head: HEALTH INFORMATICS COMPLIANCE SURVEY Health Informatics Compliance Survey Stephanie Sellers HI530 Dr. Brina Hollis November 20th, 2018 1 HEALTH INFORMATICS COMPLIANCE SURVEY 2 Health Informatics Compliance Survey With the invention of new technologies and processes today’s health care system has become more complex and diverse from what it used to be in the past. American health care system has observed big changes in term of its delivery, quality and research. Electronic health records have expanded a received an abundance of attention within today’s health care system due to its effectiveness in managing patient records as well as the efficacy. The purpose of our survey is to assess that our hospital’s internal data dictionary requirements follow Joint Commission standards. Joint commission standards set patient focused performance measures which are organized around functions and processes. The Comprehensive Accreditation Manual for Hospitals (CAMH) published by joint commission has functional data standards which are necessary to provide care. Hospitals are required to collect and submit data to joint commission. During a joint commission survey of any health care organizations activity of tracers is important which covers most of the survey part. Tracers are done for many reasons like to evaluate the effectiveness of organizational policies and procedures, to check compliance with joint commission standards and national patient safety goals, staff competency, implementation of procedures etc. Our focus is on data management system tracer to check hospital’s internal data dictionary requirements follow Joint Commission standards. We can survey the data management processes and systems based on following points. The questions will be asked to the members belonging to the following the communities. The communities are Joint Commission, HL-7, ASTM, NCQA, HEDIS, and ACS. Q1. Is the method of inter-operationality useful enough for the data integration needs? HEALTH INFORMATICS COMPLIANCE SURVEY 3 Yes, the method of inter-operationally as it will allow for interoperation with the other services of the organization such as monitoring, provision and security and as well, due to its accessibility via SOAP and REST APIs. Inter-operationally can facilitate easy and faster mining of data; the method can pull and as well push out data easily, hence it is useful for data integration needs. Q2. Is Joint Commission Accreditation Mandatory? No, Joint Commission Accreditation is not mandatory since Healthcare organizations, services and programs usually pursue certification and accreditation voluntarily. As long as the organization is compliant with CMS, Joint Commission will not be mandatory. However, if it wishes to receive payments from Medicaid and Medicare programs that are federally funded, it should consider the accreditation. Q3. Can feedback collected from the patients improve the performance of the organization? Yes, collecting of feedback from the patients can help improve the performance of the organization. Acquiring information about the experiences from the patients will highlight the areas that require to be improved and this offers an opportunity to offer a patient-centered healthcare service (Baldie et al, 2017). Once the patients are satisfied with the services, they will be willing to come back in future and as well, they will act as advocates by referring their friends and family to the healthcare facility. Again, with feedback, it would be easier to evaluate or measure how the healthcare providers perform against the set quality standards and device ways to help those who underperform to improve. Q4. How impactful is PHI breach? HEALTH INFORMATICS COMPLIANCE SURVEY 4 Data breaches can disrupt all the processes of care that are reliant on the health information technology. PHI breaches have financial implications. The financial costs incurred in repairing a PHI breach means that resources that would otherwise be utilized in offering patient care will be diverted. Here, the overall impact will be a reduction in the quality of care (Choi & Johnson, 2017). For the patients, in cases of medical identity theft, patients can incur personal financial losses. This causes stress to the patients. In addition, PHI Breaches also endanger the customer relationships with the healthcare facility. Once a data breach occurs, the organization risks losing the confidence, trust and the loyalty of their customers. Other impacts include lawsuits, poor employee morale, penalties and fines paid to regulators and cost paid to lawyers and external consultants (Choi & Johnson, 2017). Given the depth and the breadth of the possible consequences and damages of PHI breaches, the need for preparedness, programs, and education to prevent data breaches is evident. Q5. Can healthcare accreditation be improved by involving better data integration methods? Yes, healthcare accreditation could be improved through the involvement of better data integration techniques such as Inter-operationally. Data Integration results in better quality care, and hence it can improve accreditation. With better data integration methods, accreditation bodies are able to receive and publish performance information about organizations. Q6. Can entering into BAA can increase accreditation and appliance? Definitely, entering into a BAA increases accreditation and appliance. The privacy rule dictates that covered entities obtain satisfactory assurances from their business associates that as associates, they will satisfactorily safeguard protected health information, which it accesses or HEALTH INFORMATICS COMPLIANCE SURVEY 5 creates for use by the covered entity. According to HHS’s website, the assurance from the business associate should be in a form of writing such as a contract or any other agreement. This ensures that the business associate can be held liable and accountable to repercussions similar to those of the covered entity under the regulations of HIPAA in case of a PHI breach. Thus, entering into a BAA facilitates accreditation and appliance as well. Q7. Will including activity account logs increase the security in the electronic health records? Yes, activity account logs act as a kind of metadata that is commonly referred to as data about data. They are generated automatically in computers for electronic documents like electronic health records. They can help increase the security for the Electronically stored health records since they chronologically identify or trace the a) time and date when a record was used or changed, b) identifies the specific user c) type kind of action on the data whether revising, printing or entering data, and d) the specific data that is being accessed. They thus can facilitate auditing that can aid detection of a PHI breach. Q9. How well has the HIPAA been accepted by the different healthcare organizations in the country? In its initial years after being established, HIPAA was opposed by many healthcare organizations, as they believed that it would render them bankrupt and as well, hinder research work. They thus argued that it would paralyze the healthcare industry. Even today, there are still some critics that are cried out against the HIPAA. Some even cite the availability of laws that allow Business associates to access HPI as a threat to patient’s privacy. They claim that the same function of that HIPAA does could be done by state laws, which they say were stricter. Overall, HEALTH INFORMATICS COMPLIANCE SURVEY 6 HIPAA is not widely accepted by the healthcare organizations as it is associated with so much ‘cost of compliance' Q10. Are the critical rules of HIPAA followed religiously in the electronic health records of the medical organizations? No, the critical rules of HIPAA are not followed religiously as there have been HPI breaches reported often in healthcare organizations. HIPAA violations regarding electronic health records are indeed a major concern for the ever-evolving healthcare industry. Q11. Has introducing HIPAA in the electronic health records systems improved the data security in the healthcare organizations? Yes, according to Solove (2013), patients report that they have trust in HIPAA as offering the privacy of their personal information. In reality, HIPAA body has actually enhanced access to improved care through offering the assurance of data security as well as privacy to patients. Q12. According to you, which is more beneficial the disposal system or the data back up and story requirement in HIPAA? To me, the data back up and story requirement in HIPAA is more beneficial. This is because electronic data that has been backed up can be easily retrieved whereas once disposed of, it cannot be retrieved. Q13. Is the inter-operationality data integration strategy aligned with the HIPAA compliance followed in the healthcare organizations? Yes, since the method of inter-operationally allows interoperation with the other services of the organization such as monitoring, provision, and security, it is in line with HIPAA HEALTH INFORMATICS COMPLIANCE SURVEY 7 compliance rules. Better connectivity between the services implies better communication and thus better service and compliance. It also ensures there is a standardized system service quality, hence boosting quality, along with compliance. Q14. Are audit controls helpful enough in improving the quality of the data stored in the electronic health systems? If we were in a perfect world, the use of application controls alone could guarantee security and privacy of ePHI. However, there are complexities in today’s healthcare industry and environment and it is challenging to allow limited access to healthcare information and expect members to perform their jobs adequately. If employees do not have access to some portions of a patient's record, their job could be impaired in terms of effectiveness. Therefore, organizations should develop and make use of security audits, along with appropriate procedures and policies to hold employees accountable for their own actions when accessing patient data via electronic health records. By performing security audits through audit logs and audit trails, they are able to identify system threads of modifications, access, and transactions. audit controls are helpful because they help detect any unauthorized access to the patient’s information, inculcate a culture of accountability and responsibility, offer forensic evidence in cases of investigations, tracks any disclosure of PHI, detects intrusion attempts and new threats, and addresses compliance with accreditation and regulatory requirements. Q15. Has the occurrence of the HIPAA platform on the mobile phones increased the ease of accessing the information in the electronic health records? Yes, with the ubiquitous use of mobile phones, accessibility of data and information in electronic health records has become easier. HEALTH INFORMATICS COMPLIANCE SURVEY 8 Q16. What are the different implications of HIPPA on the patients and on the different healthcare organizations? a. There are cost implications, or what may be referred to as ‘cost of compliance’ or even ‘cost of noncompliance’ b. Patients are assured of their privacy and this increases their willingness and trust to access healthcare from covered organizations Q17. According to you, do the healthcare workers have enough knowledge of the HIPAA compliances? I could say that not all healthcare workers who have adequate knowledge of HIPAA compliances. Organizations still need to cultivate in their employees the culture of compliance with HIPAA by educating them about the compliances and making them aware of the importance of complying. Q18. What are the improvements that need to be made in the present compliances of HIPAA? Most organizations still do not encrypt ALL stored PHI. This, along with the prevalence of hacking and malware, is a major threat to both the organizations and the business associates. Thus, organizations should improve on their data encryption to make sure that ALL their ePHI is encrypted with use of AES-256 encryption or even any other strong and accepted encryption. Further, the organizations should ensure that all data that needs to be moved is transited on an encrypted connection like TLS and HTTPS. There is also a need for improvement in terms of ‘human element'. This can be done by ensuring that all employees are well trained about the need for compliance and as well, on some security tricks to always ensure the ePHI data is safe from HEALTH INFORMATICS COMPLIANCE SURVEY 9 hackers and malware. Another issue is BYOD policies that organizations have whereby they require employees to come to work with their personal devices. This needs to be avoided as endangers PHI since such machines are moved home to unsecured networks. Lastly, organizations need to ensure that business associates sign BAA before any engagement and make the associates be aware that compliance and security is the top priority (Nass et al, 2009). Q19. Is the Privacy rule followed diligently in the HIPAA compliance followed by the different healthcare organizations? The privacy rule is not diligently followed, as they are many violations that are reported. Breaches have continued to increase in frequency and penalties as well. Q20. Has emailing and messaging increased the awareness regarding HIPAA compliance among the patients and the doctors? Yes, messaging and emailing has improved awareness about HIPAA compliance among doctors and patients. Conclusion To sum up, with adequate education and training of the employees on matters compliance and why it is important to comply, the organization can be able to comply with or rather meet the internal data dictionary. Further, by use of internal audit controls, a culture of accountability and responsibility can be inculcated within the employees such that they make privacy, security, and compliance a top priority. In addition, training can also enlighten everyone about the need to comply with external accreditation and compliance bodies in regard to ePHI data management. The data format used in the organization also satisfies the hospital’s data integration essentials since it is already electronically stored and encrypted. HEALTH INFORMATICS COMPLIANCE SURVEY 10 References Baldie, D., Guthrie, B., Entwistle, V., & Kroll, T. (2017). Exploring the impact and use of patients’ feedback about their care experiences in general practice settings—a realist synthesis. Family Practice, 35(1), 13-21. doi: 10.1093/fampra/cmx067 Barney, B. (2018). 5 Tips to Improve HIPAA Compliance in 2018. Retrieved from https://www.securitymetrics.com/blog/5-tips-improve-hipaa-compliance-2018 Choi, S., & Johnson, M. E. (2017). Do Hospital Data Breaches Reduce Patient Care Quality? In Presentation at the 14th Workshop on the Economics of Information Security, La Jolla, CA, June (pp. 26-27). King, J., & Williams, L. (2012). Secure Logging and Auditing in Electronic Health Records Systems: What Can We Learn from the Payment Card Industry Position Paper. Usenix HealthSec’12. Moreno-Conde, A., Moner, D., Cruz, W. D. D., Santos, M. R., Maldonado, J. A., Robles, M., &Kalra, D. (2015). Clinical information modeling processes for semantic interoperability of electronic health records: systematic review and inductive analysis. Journal of the American Medical Informatics Association, 22(4), 925-934. Nass, S. J., Levit, L. A., & Gostin, L. O. (2009). HIPAA, the Privacy Rule, and Its Application to Health Research. Parimbelli, E., Sacchi, L., & Bellazzi, R. (2016). Decision Support through Data Integration: HEALTH INFORMATICS COMPLIANCE SURVEY 11 Strategies to Meet the Big Data Challenge. EJBI, 12(1). Solove, D. (2013). HIPAA Turns 10: Analyzing the Past, Present and Future Impact. Retrieved from http://library.ahima.org/doc?oid=106325#.W_QLWegzbIV Wang, Y., Kung, L., Wang, W. Y. C., & Cegielski, C. G. (2018). An integrated big data analytics-enabled transformation model: Application to health care. Information & Management, 55(1), 64-79.