Outsourcing Partnership Reduces Compliance Risk in Complex Regulations
April 2002. The impending deadline now shaping the future of privacy and security of patient information in the healthcare industry finds some organizations facing formidable challenges, for they must soon comply with the initial guidelines and standards set forth in the U.S. Health Insurance Portability and Accountability Act (HIPAA). The new security rules are not yet final, but healthcare organizations are turning quickly to service providers for solutions to protect the confidentiality of patient data.
Plans to secure patient data necessitate some process reengineering and launching new due diligence processes to control access to, availability and storage of information, as well as eliminating vulnerabilities in the electronic transmission of data via networks and the Internet. Although HIPAA is not solely a technological problem, technology plays a large part in many of the security risk solutions.
But not all healthcare organizations see the approaching HIPAA deadline as a threat. Pinnacle Health System in the Harrisburg, Pennsylvania area has taken an aggressive approach to dealing with HIPAA compliance and is clearly several leaps ahead in the game.
An Exponential Jump
Richard Bagby, vice president for informatics and CIO of the Pinnacle system, sets the tone of his organization's approach to new challenges. "The model for healthcare that we are trying to project is one of looking toward wellness for the community, rather than the old acute model of fixing sick people in the hospital," he explains. That proactive stance led Pinnacle Health in 1994 to outsource the responsibility for its IT processes to Siemens Medical Solutions. And it carries over to Pinnacle's HIPAA compliance approach.
"I'm not looking to do HIPAA for the sake of HIPAA," he says. "I'm looking to do privacy for the sake of what makes sense from an organization point of view and from a patient confidentiality point of view. The privacy things that HIPAA says we are supposed to do make sense, and this has been an ongoing issue for years. We took a head start on this, but we are focusing on things that make sense and that are the right things to do."
Although HIPAA compliance is a huge issue for the payers with their disparate claims systems, Pinnacle Health views it primarily as a process issue with two areas: privacy and software codes/transactions. Believing the payers won't be ready and will move over at different stages, Bagby states that Pinnacle plans to use a clearinghouse at first. Thus, Pinnacle will eliminate the need to run multiple systems and let the clearinghouse deal with each of the payers. For the software aspects and electronic data transactions, they are leaning on the expertise of Siemens.
Because of the outsourcing relationship, says Pinnacle's CIO, the healthcare organization has the competitive advantage of drawing on its outsourcer partner's expertise and nationwide best practices. "We get to implement their practices and ideas that make the most sense to us." A U.S. Marine for 24 years, Bagby contrasts this benefit to his military time served at Okinawa. "People rotated there every year. So we didn't have 25 years of experience. We had one year of experience 25 times." That's what happens with IT groups that don't have an infusion of new ideas and best practices, he believes. They just have the same old ideas and can only try to incrementally get a little bit better. "But if you have best practices infused into your organization," he exclaims, "you can make some exponential jumps on occasion!"
In August 2001, Siemens approached Pinnacle's Information Systems department (which is staffed with Siemens employees) about participating in some HIPAA testing. Siemens will take the Pinnacle data transaction sets that interact between Siemens systems, scramble the transactions and then unscramble them. The tests will validate that the data is still intact, the integrity of the data is still good, and Pinnacle's patient data transactions are safe.
"In order to move forward," advises Bagby, "you have to have a rock-solid support system so that you don't have to justify what things are going wrong. Siemens provides Pinnacle Health with that support." Outsourcing gives the hospital group the ability to be strategic in focusing on its core competencies, making Pinnacle Health the most effective organization it can be.
Lessons from the Outsourcing Primer:
- Outsourcing infuses an organization with best practices, enabling far more efficiency and benefits than incremental changes over time.
- Healthcare is a unique industry with complex business and regulatory issues, making its processes and changes high risk. Outsourcing can provide solutions that ensure regulatory processes are handled in a manner that protects the healthcare agency from any vulnerability.
- In addition to ensuring HIPAA compliance within their own organizations, healthcare providers and payers must also ensure that all of their third-party service providers are also HIPAA compliant.