Most recent data shows there are 6,129 hospitals1, 6,087 Medicare-certified ASCs2, and 54,642 outpatient care centers3. While these sites-of-service are the most common types people envision when they think “healthcare”, these 66,000 or so different sites do not even begin to scratch the surface of the true “healthcare” landscape.
The healthcare industry is rapidly expanding from traditional sites-of-service, like those mentioned above. In 2022, there were over 350,000 “health” mobile-applications on the market, with over 90,000 of those being added in 2020 alone4. Much of this is attributable to the COVID-19 pandemic, with millions of Americans forced to find alternative methods of securing treatment, and the free-market response to those solutions. While growth in health apps has slowed due to venture capitalists losing big on investments made between 2019 and 2021, the VC industry as a whole will be a lot more selective with their investments in healthcare5. With 2024 now upon us, along with the phenomena of “artificial intelligence” and “machine learning” (AI/ML) taking hold, we will likely see a significant boom of large firms and entrepreneurs trying to enter the healthcare AI/ML industry. This influx of competition will likely reel a lot of the VC investors back in; this, in turn, opens the market to more products/solutions that will have a significant, widespread impact on the healthcare industry.
On a macro-level, there are dozens of different “industries” under the healthcare umbrella. From traditional brick-and-mortar locations like a hospital or ASC, to digital health companies like Headspace, as well as insurance companies, pharmaceuticals, bio-tech…I think you get the picture. But with all these different variations of care delivery, technical solutions, products, and service models, how are workforce members staying up-to-date on all these changes, and how does it impact their role from an IT or InfoSec perspective?
One thing most of these organizations have in common, is that they are required to follow the Health Insurance Portability and Accountability Act (HIPAA). While many people see “HIPAA” and roll their eyes, I want to provide a high-level overview as to how it really works.
Its purpose is to serve as a framework for applicable healthcare organizations (known as covered entities) to follow when creating, maintaining, or modifying their IT/InfoSec infrastructure and associated processes. The way the U.S. Government administers this regulation, can be viewed as a Mad Lib given to a healthcare organization. The organization, then, has the ability to complete it based off their needs, capabilities, and culture.
In practice, HIPAA looks something like this — there are around 200 different performance criteria that are either “required” or “addressable.” Whether or not a criterion is addressable or required, they all will have a description of what is needed, while providing significant bandwidth in interpreting the description.
For example:
§164.530(b)(1) Standard: Training: A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.
(2) Implementation specifications: Training. (i) A covered entity must provide training that meets the requirements of paragraph (b)(1) of this section, as follows: (A) To each member of the covered entity's workforce by no later than the compliance date for the covered entity; (B) Thereafter, to each new member of the workforce within a reasonable period of time after the person joins the covered entity's workforce; and (C) To each member of the covered entity's workforce whose functions are affected by a material change in the policies or procedures required by this subpart or subpart D of this part, within a reasonable period of time after the material change becomes effective in accordance with paragraph (i) of this section. (ii) A covered entity must document that the training as described in paragraph (b)(2)(i) of this section has been provided, as required by paragraph (j) of this section.
While many of the terms you see are defined within the Rule,there is still ambiguity. When reading the Implementation Specification above, some questions you probably have are: “What does ‘workforce’ mean?” or “What is a ‘reasonable period of time’?” Let’s go through it…
HIPAA tells you what “workforce” means… kinda:
Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate. (45 CFR § 160.103)
Reading this, you probably assume one of two things — (1) just give it to everyone… Or… (2) just parse out people you know will handle PHI, and give it to them. Sounds easy!
Well, while both of these are acceptable and “compliant” (from a very high level), there are trade-offs.
In scenario one: providing, monitoring and documenting training completions from everyone who is a “workforce” member of the facility — from your CEO to someone who volunteers — will be required to take the training. This means that even individuals who want to volunteer for a single day is required to take all pertinent trainings, and the facility/organization has to retain that information the same way they do for their executives, full-time, and part-time workforce members. There are ways around this by addressing it within your policies, but will cover that in a future newsletter.
In scenario two: classifying workforce members as “PHI” vs “Non-PHI” roles is a lot more difficult than it seems. Take a janitorial/environmental services team as an example. While you may assume “they just clean, they will never be in an EMR going through records, or interacting with patients. Why would they need to know about HIPAA?” And while this is indeed a logical thought process, your janitorial/environmental staff are some of the most important people to train on handling PHI. Why? Think of how easy it is for a member of that team to come across a loose paper record, or have to clean an area or device with exposed or accessible PHI. Shouldn’t they be trained on how to handle it?
I highlight janitorial/environmental staff, not because it’s perceived as a “low skill” job or career. Rather, it is a crucial job in a healthcare setting, and may very easily be overlooked and under-appreciated by a compliance team when trying to determine certain operational processes.
For things like “reasonable period of time” or “material change” (both in the implementation specification above), though? Your guess is as good as mine!
Every year, there are “material changes” to HIPAA, though those do not always equate to “material changes” within your organization's operations or policies, which is what the rule contemplates.
You’re definitely saying — “Ok, Mike, what’s your point? Cut to the chase!” And I am getting there, I promise! But the point I am trying to make is — that this level of thought and consideration is just for a single performance criterion under HIPAA (§164.530(b)(1) Standard: Training). There are still over 200 that an organization is required to implement (required), or if they do not, justification for not (addressable). These are things compliance officers/leaders are constantly thinking about and attempting alignment with their organization’s policies and procedures, and if something does not align, then what policy or procedural changes need to be made. Which, in and of itself, is not an “easy” task.
So, like a Mad Lib, the US Gov’t will clarify you need a “noun” or a “verb” for certain performance criterion, and that allows you to pick thousands of different combinations or methods that fit your organization, which should be based on your needs, capabilities, and culture. Using the training criteria above as an example, you could have people who give HIPAA training to new-hires, then after that — every month, annually, bi-annually, or just if company policy changes. These cadences would all be “compliant” with the criteria, though it is up to the organization to codify the cadence in policy, and ensure it is being followed. Rinse, repeat, nearly 200 times over… and that is just for HIPAA.
In theory, HIPAA could be more granular, and say “an aquatic mammal” (I.e. “once a year”) or even hyper-specific, and say “dolphin”(I.e. “once a year with the following content…”), but that takes autonomy away from organizations, which is the fundamental practice and belief of a firm operating in a free-market economy like the U.S.. This is also a reason why HIPAA is administered the way it is. If for every criterion there was more granularity, it would likely create significant barriers to entry for firms who may not have the technical capabilities of large, multi-billion dollar corporations.
This is why for many of the criteria under HIPAA, if you ask 10 different compliance leaders — “what do you do for [insert performance criterion]?” or “What is the best way to address [insert performance criterion] under HIPAA?”— you may very well have 10 different answers, which is how the IT/InfoSec regulatory environment is supposed to function.
Where an effective compliance leader earns their keep is determining solutions that are more cost-effective than another. Cost-effectiveness within the compliance space requires an understanding of your organization’s size, capabilities, needs, risks, and culture, which is something a compliance officer/leader should be able to convey to their leadership. Though, this is a significant struggle for many organizations because there is a misunderstanding around the nuances of many rules/regulations/laws — from the CEO to volunteers from the local high school.
A perfect example of this happened during my time working for the Walmart HIPAA compliance team. During an organizational-wide meeting, Doug McMillon (CEO, Walmart, Inc), one of the wealthiest and most influential people on earth, said (paraphrasing):
“We had an Interns vs Executive softball game and one of the Interns had an injury… I wish I could tell you what happened, but that would violate HIPAA and we don’t want to do that!”
While this was a tongue-in-cheek remark, meant to be humerus (found out later the intern had broken their arm… see what I did there?), it opened my eyes to just how convoluted HIPAA and other rules/regulations are for most people. Even those as smart and successful as the CEO of the biggest company on earth.
And, just so we’re clear… That is definitely not a HIPAA violation.
The healthcare regulatory compliance space is very much a test on one’s ability to look at things philosophically, and, when done correctly, offers a great deal of leeway and opportunity for organizations to assess their own needs, capabilities, and culture, and then implement the proper controls. Where organizations struggle, is understanding “why?” many of these regulations allow you to do this, conveying that “why?” to leadership as well as the workforce. The main purpose is not for HHS/OCR to enforce and evaluate every single performance criterion, but to put your organization in the best position to prevent a breach. And if you fail to do so, that is the point at which HHS/OCR will step in and evaluate all performance criterion, which is not something any organization wants.
That is the purpose of this newsletter: to look at the philosophical side of healthcare regulatory compliance; and to help those from executive leaders and decision makers, to compliance officers, to those people who are simply intellectually curious understand the “why?”, and highlight that there is rarely a singular “right” answer for many of the issues an organization experiences in regulatory compliance.
I plan to make these newsletters as entertaining and immersive as possible and hope anyone who reads them will walk away with some knowledge they can take to their organization, or use in their personal life. In future discourse, I will cover specific examples like legal cases, HHS/OCR current events, to discussions with healthcare executives and compliance leaders.
Most importantly, this newsletter will empower workforce members to drive change within their department or organization, and for executive leaders to have a better understanding of the nuanced, or philosophical, side of HIPAA and regulatory compliance.
If this is something that interests you, or if you have any friends or colleagues that may be interested, please subscribe and share!
Thank you SO MUCH for reading, and please subscribe below if you enjoyed this content:
I always encourage readers to reach out with questions and feedback as well. If you have a question, or would like to provide some feedback, please use the link below:
If you would like to connect with me via LinkedIn, please feel free!
https://www.aha.org/statistics/fast-facts-us-hospitals
https://www.ascassociation.org/asca/medicare/asc-map/ascs-per-state
https://www.census.gov/programs-surveys/cbp.html
https://www.iqvia.com/-/media/iqvia/pdfs/institute-reports/digital-health-trends-2021/iqvia-institute-digital-health-trends-2021.pdf?_=1628089218603
https://www.bvp.com/atlas/2024-healthcare-and-life-sciences-predictions?utm_source=linkedin&utm_medium=owned&utm_campaign=2024-healthcare-and-life-sciences-predictions#1-Tourist-investors-will-leave-healthcare%E2%80%94for-now