Compliance with laws and regulations in the health care industry can be challenging. The variety of technologies and protocols involved in can affect legal compliance efforts. Violations of health care laws and regulations can lead to significant fines and punishment. Compliance violations can also lead to state licensing issues including department investigations and discipline. Multistate health care practitioners have further challenges if they have a licensing issue in one state and it causes other state departments to be involved. A recent article published by Becker’s Hospital Review addresses some specific regulations and offers some options to help health care practitioners satisfy compliance needs.[i]
Health care compliance laws and regulations include:
- The Health Insurance Portability and Accountability Act (HIPPA)
- The Control Objectives for Information and Related Technology (COBIT)
- The Sarbanes Oxley Act (SOX)
Each of these laws requires health care organizations to take measures to safeguard information and use security measures to protect patient data. For example, “HIPAA requirements include workstation security, access controls, audit controls and person or entity authentication. HIPAA protects the use and disclosure of patient data and ensures that healthcare organizations have the correct security measures in place. COBIT, which is published by the IT Governance Institute also provides “a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit control and security practitioners.” In addition, SOX is a set of auditing accountability standards for all publicly traded companies in the United States.[ii]”
Suggestions and focus areas in ensuring organizations and systems are compliant
- Delegating temporary user access to online systems
Computer and database system administrators may use a variety of software tools to manage user accounts in hospitals and health care organizations. Just as we should never write out passwords on a post-it note on our desk, giving out passwords and credentials to other employees can lead to a compliance error. If an employee must be out of the office and another assumes some of the absent employee’s duty, they will need access to the systems. If the employee gives their passwords and credentials to another trusted employee, they should immediately change those passwords upon return to work, to prevent another from having access to your protected areas. A better solution involves a system administrator creating temporary access passwords and credentials. For a limited amount of time, another employee could be given limited access, to only the information they need, and the password would expire by programming or by the system administrator’s election, often by the click of a button.
- Keeping passwords secure
In many health care organizations and settings, there is a variety of usernames and logon passwords used to access a variety of systems. When employees must access different systems during routine work, there is a risk that employees will write down all their credentials and passwords and carry them on or near them, exposing the information being taken or copied by another. The suggested solution to this risk is a single sign-on username and password an employee may more likely memorize. System administrators can combine credentials and passwords into a single sign-on and allow that employee detailed access to what they require for their work, which can be managed and limited as necessary.
- Enhanced authentication procedures
Advances in online security are frequent and important to evaluate for implementation in health care organizations and settings. As new protocols for online user authentication are accepted and used in the industry, amendments to the compliance laws often follow. For many organizations, recent compliance audits following updates to the laws, led to an update to the then-current authentication procedures. It is important to plan and assume new advanced protocols and procedures are forthcoming. Making it a priority for the organization to remain diligent on advances in security is important to compliance management.
- Eliminating shared user accounts
While there is utility in being able to access and update databases in real time, there is a compliance risk when multiple health care employees are allowed to log on to a system at the same time. A traditional paper patient chart may have multiple entries, signatures and notably different handwriting, and health care staff can usually tell who made what entries. Using a computerized system for information sharing makes it nearly impossible to determine who made what entries, causing a significant compliance risk. Fortunately, advances in technology and software allow system administrators to cure the exposure to compliance errors by eliminating shared user accounts and better managing individual user accounts with increased tracking abilities.
Keeping up with compliance laws in the health care industry can be challenging, and the right systems and compliance management are important.
The larger organizations may have greater access and options to higher level compliance management, but smaller health care operations and sole physician practices have different resources. There are outsourced solutions available to health care operations that lack an internal department to work on compliance issues. As health care law and litigation attorneys, our firm also assists health care practices of all sizes to review compliance concerns and systems, advising and representing clients with legal compliance concerns and issues.
Michael V. Favia and Associates, P.C., works with physicians and health care organizations to cure compliance risks and respond to legal issues in connection with compliance laws affecting health care industry professionals.
Chicago health law and litigation attorney Michael V. Favia and his associates in several locations and disciplines, advise and represent licensed physicians in all types of litigation and administrative matters involving licensing and regulatory agencies.
Michael V. Favia and Associates, P.C. represents individual physicians and health care organizations in the Chicago area with a variety of legal matters. With offices conveniently located in the Chicago Loop, Northwest side and suburban meeting locations, you can schedule a discrete meeting with an attorney at your convenience and discretion. For more about Michael V. Favia & Associates, please visit www.favialawfirm.com and feel free to “Like” the firm on Facebook and “Follow” the firm on Twitter. You can also review endorsements and recommendations for Michael V. Favia on his Avvo.com profile and on LinkedIn.
[i] Becker’s Hospital Review, Challenges to meeting compliance needs, by Dean Wiech, Mar. 16, 2016
[ii] See HNi above.
Image source: Ninestone IT consulting company http://bit.ly/1PpPBnf