Health-MOAT Solution Results in Privacy-Certified Employees
The significant changes required by the Health Insurance Portability and Accountability Act (HIPAA) to protect patients' Protected Health Information (PHI) goes far beyond technology for it encompasses all business processes in a healthcare organization. And compliance is not simple. HIPAA requires that:
- a healthcare entity must train all members of its workforce on the policies and procedures with respect to PHI;
- an entity must document that the training has been provided;
- whenever there is a change in law, an entity must promptly document and implement the revised policy or procedure; and
- the entity must maintain the policies and procedures in written or electronic form.
Lack of employee awareness of privacy and security issues is by far the weakest link, according to Rick Shaw, president and founder of CorpNet Security. And it can easily make a healthcare organization legally vulnerable. As an example, he cites a recent dumpster diving incident in Omaha, Nebraska, where someone dug through a dumpster, retrieved records from a healthcare clinic and then published the patients' private information over the Internet.
There are hundreds of examples of privacy breaches, Shaw says. One company, for example, breached privacy of several hundred people using Prozak by inadvertently including their names as cc recipients of an email, rather than ensuring their names were bcc recipients. The company received a financial penalty and was ordered to implement a training/awareness program.
The list of breaches includes easy-to-overlook behavior - such as people in offices writing their new computer passwords on Post-it notes and sticking them on their monitors where they can be seen by anyone. And there are the more recent phenomena, such as physicians accessing patient records while working from home in a less secure environment.
Many organizations - especially small provider offices with fewer resources - are up against a very high brick wall in complying with the challenging requirements for these business process changes. Some have begun to establish policies regarding what employees are supposed to do (or not supposed to do); but the fact is, even large organizations find it extremely difficult to implement the requirements.
If you're a decision-maker in a healthcare organization that cannot yet guarantee compliance with HIPAA's requirements, you need to keep reading this article. It's about CorpNet Security's solution for employee Privacy Certification. It's an outsourcing strategy that will save you money, time and other resources, eliminate the hassles with compliance, give you better results and mitigate risks.
The Technology: Teaching Employees What's Expected
e-MOAT is CorpNet Security's "electronic-Managed Ongoing Awareness Training." A comprehensive solution for company policy management and support, as well as privacy/security education to build a culture of security, e-MOAT has been a popular solution in the bank systems and technology arena.
Its core modules provide education on complex regulations through the use of easy-to-understand stories and news items of security/privacy breaches and questions. Employees learn why the new policies and procedures exist and what their roles will be in supporting them. To indicate that they have understood the training and acknowledge their acceptance of the policies and procedures, employees must actually type the words, "I agree." The accompanying automatic date/time stamp on the statement of agreement ensures consistent reporting for compliance audits and HR issues.
User feedback on the training for small provider offices (such as chiropractors, dentists, optometrists, and small physician groups) has been very positive. Doctors have commented that they didn't have the resources and didn't know how to address HIPAA compliance with their employees. The eagerly awaited Health-MOAT for larger providers and payer groups just hit the market this week.
Basically, Health-MOAT is e-MOAT with a HIPAA module added. CorpNet Security has been working with leading legal and healthcare subject experts in developing the HIPAA training module. Health-MOAT also includes a "Policy Vault" module that uses downloadable templates to help a healthcare entity easily develop or revise security and privacy policies. This module also keeps the company automatically informed as to the latest threats, trends and regulatory changes.
The buyer's administrators have access to real-time status of training with six different types of reports accessible through the Internet. The offsite, third-party reporting feature provides authentication for HIPAA compliance audits.
The eLearning Approach: Low Overheard
Those magic words - "low overhead" - apply to this solution hosted by CorpNet Security. It requires no people and no hardware or software because it's Web-based; employees can access it even away from the office. The eLearning approach ensures they can progress through the training at their own pace, and it eliminates all the hassles and costs associated with classroom training (facilities, materials, scheduling, testing, trainers, time away from the job while in the training sessions, etc.).
This outsourced solution can be up and running in just a few days. It's as simple as the buyer sending an electronic file with employee email addresses to CorpNet Security, which then loads the information onto its system and notifies the employees of their unique login IDs and passwords.
The service is priced on a per employee basis, with unlimited use for a year, including as-needed policy updates being sent to all users via email. If desired, a buyer may opt for a complete integrated solution, with CorpNet Security providing encryption, VPN and home networking and other security technology.
The Power of Certification
Attorneys working with CorpNet Security state that in case of a security or privacy breach by an employee, proof of due diligence through Privacy Certification services may cause a court not to impose the high end of financial penalties on the organization.
Insurance companies are recommending the Privacy Certification to their customers in order to lower the number of breaches they will have to underwrite. Shaw also points out that, if the Privacy Certification becomes the de facto standard, it will eliminate the HIPAA requirement for a healthcare entity to have security agreements with all of its business associates.
More importantly, hospitals and physician groups that use the Privacy Certification program have an important marketing claim ("all of our employees are privacy certified!") and competitive advantage.
Outsourcing Addresses Bottom Line Concerns
No matter how large or small the organization, or which top executive is tasked with handling the business process changes involved with HIPAA compliance, each faces the same issues. The list of top challenges includes:
- Developing and updating policies and communicating them in a consistent manner across the entire organization.
- Funding the costs of training employees (including new employees).
- Handling the logistics of scheduling, testing, tracking progress.
- Preparing reports and compliance audits.
- Offering ongoing training when regulations change.
- Mitigating risk (legal, insurance) vs. managing risk.
Of course, a healthcare provider or payer could decide to develop solutions internally to meet these challenges in becoming HIPAA compliant instead of outsourcing. But with bottom-line concerns, the need to focus resources on improving the quality of patient care, and the strong competitive advantage that outsourcing CorpNet Security's Privacy Certification services presents, why would it want to?
Lessons from the Outsourcing Journal:
- The privacy and security requirements of HIPAA involve changes to all business processes. Outsourcing is an effective catalyst for change.
- An outsourcer's eLearning approach and ASP solution for employee training on HIPAA policies and procedures is more effective and cost-efficient than an internal solution and allows healthcare providers to focus resources on the quality of patient care.
- By outsourcing the education process to an outsourcer with privacy and security expertise, a buyer can mitigate its risk of legal liability in case of employee breaches.