After the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, the U.S. Department of Health and Human services estimated health systems would spend about $113 million to achieve compliance — plus $14.5 million annually to remain in the green, Medical Economics reported in 2019. However, the actual yearly costs of HIPAA compliance for institutions may be closer to $8.3 billion.
As major investments in compliance-related tasks continue straining resources, health systems must trade their reactive, report-based compliance programs for solutions powered by analytics and artificial intelligence.
“The speed, accuracy and volume of data that can be reviewed by AI, combined with the knowledge and insight of compliance officers, cannot be overstated,” says Teresa Burns, director of privacy operations and privacy officer at Protenus. “This technology is advancing healthcare compliance.”
To mitigate risk across the organization, a compliance analytics program should integrate data from disparate EHRs and audit 100 percent of events that occur within those EHRs and their ancillary systems.
Brimming with insights on building a compliance analytics program, Protenus’ newest whitepaper is available for download.
Below is a step-by-step guide to adopting a case-based compliance analytics system that will free up precious clinical and financial resources:
Step 1: Get a lay of the land.
Identify areas for improvement in current workflows by critically examining incident detection and reporting pathways; investigatory processes and all teams involved; case resolution protocols; and feedback loops.
Step 2: Drill into the data.
HIPAA requires data audits and monitoring but does not specify the type of data to be monitored or the frequency of auditing; these decisions are left to individual institutions. Housing reams of valuable patient data, EHRs are a wise starting point. From there, including data from human resources, specialty groups, pharmacy records and more can provide important context around suspicious interactions with PHI or prescription drugs.
Step 3: Set parameters around alerts and investigations.
To ensure they receive relevant and timely alerts for true violations, hospitals should establish a functional process by which data flows into the compliance analytics system. Each alert forms the basis for a case, which can be escalated to a full investigation if necessary based on evidence compiled by the system.
Step 4: Tie analytics to organizational policies.
Align compliance analytics with institutional policies and procedures by mapping clear consequences for each violation that may be detected. Early warning signs of risky behavior, for instance, can automatically trigger email reminders and training. In turn, a hospital can save money on investigation and prevent harm down the line.
Step 5: Streamline reporting processes.
State and federal agencies, as well as law enforcement on both levels, require healthcare providers to report certain compliance violations and notify affected individuals after discovery. With case-based compliance analytics reports — as opposed to report-based models relying heavily on manual review — organizations can easily review incidents, determine a course of action and satisfy a multitude of reporting requirements.
For more insights on building a compliance analytics program, download the latest whitepaper from Protenus.