User Profile:

Spiraling healthcare costs spurred enormous merger activity throughout the 1990s, creating new and vast regional health care groups. The New England-based health care group was no different – emerging in 1996 from the union of three hospitals and dozens of ancillary community health clinics.

Knowing that in general, mergers can create complex organizational structures, the directors of the new entity instead were committed to creating a simplified organizational structure.

“This structure insured that we would be able to compete in a increasingly competitive marketplace while offering the highest quality service right here in our own community,” said the hospital group’s president. This philosophy coupled with the group’s long-standing commitment to organization-wide quality initiatives and clinical best practices positioned the group for positive growth and expansion over the next decade.

The Problem:

But a growing community-based health delivery system with multiple access points has a heavy reliance on electronic technology. And in this era of regulations, there was growing concern that the many different electronic transactions that transferred patient data were still in compliance with HIPAA – the 1996 Health Insurance Portability and Accountability Act (HIPAA).

The Act requires an entity to protect the confidentiality, integrity, and availability of electronic protected health information (EPHI) when it is stored, maintained or transmitted.

The challenge is to put safeguards around data – while not impeding patient care. The amount of information that is needed to provide thorough healthcare goes far beyond billing and patient records. Labwork results, drug dispensing equipment, even heart and respiration monitoring systems rely on electronic transfer of information. In this not-for-profit health organization, protection of all EPHI fell under the auspices of three different and diverse business units.

The Vice President of IT felt fairly confident that the policies were in place – and being adhered to, but she wanted to be certain. She wanted a full-blown HIPAA audit of the healthcare company’s infrastructure, policies and procedures across all business units.

One of the challenges behind HIPAA is that the regulations are more conceptual than literal. The Act requires that “adequate” measure be put in place. But what is adequate for one group may not be for another. And in health care, where the delay of data can mean jeopardizing patient health, the stakes are high.

That’s why she chose Security Management Partners (SMP), New England’s leading provider of security and compliance solutions, to conduct an independent assessment and help “broker” an organization-wide HIPAA policy.

The Solution:

Peter Bamber, Vice President of Consulting Services for SMP, is experienced with working healthcare organizations, and his team understands the need for proper personnel to access critical data when they need it. The team also understands the regulatory rigors placed on organizations. “Our job is to weigh the risks, the regulations and the business needs – and to craft a plan that meets all three criteria,” explains Bamber.

The first step was to provide an independent audit of the entire organization. “We looked at the external, internal and wireless infrastructures. We examined the existing policies and procedures. And we interviewed the business teams who needed to access data.”

This methodology is a proven one that SMP has used for more than 20 healthcare organizations. In the course of interviews SMP found some vulnerabilities and irregularities – as well as a company-wide desire to put in a new Voice Over IP infrastructure.

“SMP gave us a very actionable report that told us what we were doing well,” explains the VP of Information Technology, “as well as gave us direction on how to improve practices.” The recommendation to segregate networks that SMP put forward become part of the scope of work for the VoIP vendor, as well as a standard for legacy systems.

“Large healthcare organizations with many campuses and facilities, need to have the left hand knowing what the right is doing, in order to make sure the appropriate controls are in place to be in HIPAA compliance,” explains Bamber.

“At the highest level SMP helped us create a unified team that communicates and coordinates with one another to make sure that the varying groups that oversaw local area network workstations and servers, biomedical devices and outside vendors are all working together,” says the organizations VP.

SMP will be engaged to re-evaluate the newly completed infrastructure and to consult on an on-going program to assure continued compliance.