Issue link: https://beckershealthcare.uberflip.com/i/170067
Special Section: Health Information Technology have department-specific information as well as patient and clinical diagnostic information. Enterprise-wide data may include this departmental information as well as data from an electronic medical record with a patient's address, phone number or allergies. In order for interoperability within a hospital or health system, the network and infrastructure will need capabilities to collect, aggregate and manage each data type. According to Mr. Caldwell, hospitals have struggled with internal interoperability — sharing point-of-care, departmental and enterprise data among departments and facilities — for years. True interoperability involves intelligent bridging — not just connecting — information, according to Ms. Katzman. A hospital's utilization of the information is important as there are different products and systems necessary for sharing data at the point-of-care, departmental and enterprise levels. 5. Hospitals need interoperability with physician groups and the community. While interoperability is not perfect in internal scenarios, Mr. Caldwell believes that hospital executives should place focus on interoperability with partners in the community as well because it is where they have placed the least amount of focus. "[With all the different IT systems being used], it is like all the physicians in a community are living in different countries, speaking different languages. How do you start to become interoperable when no one is speaking the same language?" asks Mr. Caldwell. Some organizations that have affiliated with, or even acquired, physician groups can use a single EHR platform across all their facilities. Accord- 17 ing to Mr. Caldwell, interoperability is easier in those instances because the organization can mandate what type of system its employees use. However, not every hospital or health system owns or employs physician groups. According to Mr. Caldwell, healthcare executives need to pursue technology that offers interoperability not just across their organization's EHR system but across disparate systems as well. "It is the biggest stumbling block" he says. According to Mike Detjen, vice president of service offerings for Arcadia Solutions, a healthcare consulting company, there are many technical decisions to be made based upon the type of information shared. "There are multiple layers [of necessary technology] to think about now. You might have to share with an affiliate group of physicians as well as non-affiliated physicians who you are competing with," says Mr. Detjen. "Do you need an enterprise service for this exchange or can you route messages point-to-point? As the data exchange moves further away from the hospital, you need to think purposefully about the network topology." With interoperability, providers can share information to inform better decisions at the point-of-care as well as analyze and aggregate patient data to inform clinical decisions and population health management initiatives. Information exchange is at the root of interoperability, and without it HIEs, accountable care organizations, risk-based payments and the movement toward higher-quality, lower-cost healthcare may not be realized. These issues are currently complicating the industry's path and should be addressed in 2013 if goals set by federal initiatives are to be met. n 9 Ways Hospitals Should Prepare for HIPAA Audits By Kathleen Roney A s part of its health information privacy and security compliance program, the Office of Civil Rights began piloting the HIPAA Privacy & Security Audit Program in November 2012 to ensure covered entities and business associates are compliant with HIPAA privacy and security rules and breach notification standards. The HITECH Act requires HHS to perform periodic audits to check for HIPAA compliance. Under the pilot program, OCR planned to perform 115 audits of covered entities before December 2012. According to Matt Jackson, director with Protiviti, a global consulting firm with a focus on IT and internal audit consulting, the OCR intends to develop a permanent audit program based on findings from the pilot audits. "It is still very likely that hospitals can be audited as part of the pilot. In addition, [OCR] fully expects that the process and the audit protocol will expand, and additional organizations will be audited," says Mr. Jackson. If a hospital is not selected for an audit under the pilot program before December, they may still be subject to future HIPAA audits under the expanded program. "It is not a matter of if a hospital will be selected but when," says Reza Chapman, senior manager and one of the leaders of Ernst & Young's information security and privacy services practice. and achieve success in the overall privacy and security of electronic personal health information. Preparing for a potential audit — and HIPAA compliance in general — can be an overwhelming and time consuming initiative. In the face of stage 2 meaningful use, ICD-10 and other industry initiatives, hospitals may sideline audit preparations. However, any hospital could still receive an audit notification, so delaying preparations could be disastrous. When a hospital receives a notification, they only have 15 days to gather all the necessary material. In order to avoid the scramble, hospitals should prepare as if they will definitely be audited. If they do not receive a notification, then they will be prepared for a potential audit in the future. "Hospitals should be taking action right now. Assume the worstcase scenario — that you've been selected for an audit and have only two weeks to prepare," says Mr. Jackson. 1. Become familiar with audit protocol. Hospitals need to be familiar with the audit protocol, which is essentially a guide to what auditors will want documentation of during an audit. According to Mr. Chapman, remarks from OCR Director Leon Rodriguez have suggested there will be little leniency for HIPAA noncompliance given the 15-year history of HIPAA and the substantial technical assistance made available to hospitals. While it may seem intuitive, if a hospital has not thoroughly reviewed the protocol, it should. "Hospitals would be wise to leverage the publicly available audit protocol as they prepare for potential audit. It is a key step to determine what documentation the hospital would need if it were to receive a notification letter," says Mr. Chapman. Here Mr. Jackson; Mr. Chapman; Damon Petraglia, director of forensic and information security services for Chartstone Consulting and former federal contractor for HHS; and Mahmood Sher-Jan, CHPC, vice president of product management for ID Experts, discuss nine ways hospitals can adequately prepare for HIPAA audits The audits will analyze processes, controls and policies of hospitals pursuant to the HITECH Act. OCR's comprehensive audit protocol contains requirements to be assessed through the audits. The protocol includes 168 performance criteria — 78 for security, 81 for privacy and 10 for breach — which detail key activities hospital management should implement to ensure HIPAA compliance.