About a year ago, a large health system was showing interest in our care coordination technology solutions.
This was an important prospect for our company. After considerable discussion and preliminary negotiations, the organization's leaders expressed concern about our ability to achieve HIPAA compliance. Their security team was ready to work with us and offer guidance to help ensure that we could provide the necessary data protections.
We are a small company offering cloud-based care coordination solutions. Our products are designed to help large hospital systems engage patients and keep them on track with complex treatment plans that may involve multiple specialists and facilities. We do not have a large budget or dedicated staff for information security. That is why the health system's team – including its security team – questioned if we had the dedicated resources or expertise to comply with HIPAA.
Their specific concern is an increasingly common one – that downstream business partners and service providers are likely targets for both cybercriminals and government auditors. Put simply, the system wanted to be sure we could protect their data, and we needed to demonstrate that we could. We believed our products to be compliant, but embraced this challenge and undertook a security risk assessment with an established information consultancy (Pondurance) to be sure (and increase our prospect's confidence in our solution).
In the process, we learned a great deal about what it really means to comply with government regulations and how the right partners and advisors can help small organizations and companies, such as ours. While we didn't face huge hurdles to compliance or uncover any major risks, there were some issues uncovered that we had to address. And we found that the process isn't nearly as onerous as the depth of the regulation may lead you to believe. You just need the right guidance and approach.
Here are six of the lessons we learned.
1. Compliance is an ongoing journey, not a single or final destination. When it comes to HIPAA, you are never there; you are always in transit. Once the organization accepts that compliance isn't a "one-and-done" sort of project, achieving and maintaining it actually gets easier. Constant monitoring not only helps maintain auditability, but can also create a strong "security-first" mindset, which is the main point of the regulations in the first place, but which also offers some business benefits.
2. Don't underestimate the positive side effects. The audit process led to increased vigilance about overall system performance, and further supported our strong continuous improvement culture. In fact, the experience helped grow the expertise of our team. Since we can't afford a full-time employee committed to security, several team members had to contribute. Now everyone knows more about HIPAA and security than they did before. This is a good thing for obvious reasons.
3. You may be further along than you think. Our confidence grew as we realized, with objective inputs, that we were considerably above average in achieving compliance in HIPAA's main areas of focus. Our policies were 97% compliant, with technical and implementation compliance around 70%. Where we weren't strictly compliant, our gaps were not critical and we could easily identify projects to improve our compliance over time. Given that roughly 70% of audited companies fall short in some aspect of HIPAA compliance, we felt somewhat proud. But we also knew we had to move quickly to increase compliance on the implementation front.
4. Beware a false sense of security. Just having security policies in place isn't enough. You need to partner with organizations that eat, drink and sleep compliance. It can be a humbling process to figure out the procedures and implementation necessary to prove that you do what you say you do on paper. Completing Web-based forms and checking many "yes" boxes on a security audit can be a dangerous path if you don't understand the reasoning behind the requirements. In other words, understanding the "why" of compliance helps simplify the "how."
5. Compliance is a team sport and vendor management is critical. Because HIPAA is about entire systems, many people must play a part in ensuring compliance. So, the more partners and vendors you have, the more complex and challenging your compliance effort will be. In some ways, smaller companies like us have an advantage over larger organizations as we have only a few, highly focused partners, which include Catalyze, a developer of HIPAA-compliant cloud-based infrastructure. Larger organizations typically have a lot more vendors to oversee.
Vendor management is a critical consideration for large healthcare organizations. Our prospect was in that exact situation, actually — checking on us as a potential vendor in proactive fashion. In fact, the active participation and collaboration of their security team with our technical folks represented something of a best practice in terms in the area of vendor management. There may be an "I" in HIPAA, but compliance is very much a team sport.
6. Security and innovation aren't mutually exclusive. We pride ourselves on producing innovative solutions, not unlike healthcare organizations striving to deliver better care in new ways. HIPAA has become another factor in our decision making relative to new features, interfaces and overall infrastructure but it hasn't slowed us down. It must also be a factor for healthcare organizations pursuing new, innovative technologies and solutions as a means to enhance their patient care and improve their performance.
The bottom line
Yes, HIPAA compliance is a lot of work. But it's not necessarily a deal-breaker for small, agile organizations. And there are potential upsides in increasing security, expanding organizational knowledge and creating strong, collaborative relationships with partners. The more you come to understand HIPAA and accept it as a part of the general operating landscape, the more you may learn that it's a manageable factor in delivering solutions that can enhance healthcare.
Gary M. Winzenread co-founded Cordata Healthcare Innovations in 2014 and serves as its president and chief executive officer. Used by more than 100 hospitals and healthcare organizations around the country, Cordata's technology solutions for specialty care coordination are designed for more effective patient management and improved clinical and business outcomes.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.