Integrity, efficiency, and accessibility in healthcare aren't new issues, but it has been only in recent years that they have gained significant traction with the US government passing a number of laws to greatly enhance the exchange of medical information amidst all relevant stakeholders. While many plans have been created, guidelines formed, and national strategies forged, there are still significant gaps in how actual technology will be applied to achieve these goals. A holistic approach with adequate input and support from all vital partakers is key to appropriate problem modeling and accurate solution determination. To this effect, this research presents a cognitive science-based solution by addressing comprehensive compliance implementation as mandated by the Health Insurance Portability and Accountability Act, the certified Electronic Health Record standard, and the federal Meaningful Use program. Using the developed standardized frameworks, an all-inclusive technological solution is presented to provide accessibility, efficiency, and integrity of healthcare information security systems.
TopIntroduction
Healthcare providers and payers have been attempting to achieve HIPAA compliance for nearly a decade. In 1998, shortly after HIPAA’s signing, the research firm Gartner Group estimated the implementation of HIPAA would collectively cost healthcare providers $5 billion and health plans $14 billion. By 2005, HHS was estimating that the costs could be at least 3 times the original amount for providers and as much as 10 times the original amount for health plans (HIPAA Security Rule, 2008). In 2009, HIMSS sponsored research suggested that the actual implementation costs for providers would be closer to $40 billion (Title 45-Public Welfare, 1996). This trend indicates a considerable cost increase that in some cases could prove crippling, especially for smaller entities. The costs of these implementations have deviated even more than their timelines and creating financial burdens drastically higher than originally anticipated. Surmounting costs aside, the original schedule set by the Privacy and Security Rules required compliance by 2003 and 2005 respectively (EHR Adoption Trends, 2004). Clearly these compliance goals have not been met by most healthcare organizations around the country. While the road to HIPAA compliance is proving elusive and costly, organizations clearly understand the importance and necessity of completing the undertaking. HIPAA will ultimately ensure better privacy and security of ePHI data. Organizations have both ethical and financial motivations to provide their customers the guarantees that HIPAA requires and are spending massive amounts of time and money on their implementations. It is critical for these organizations to have clear and comprehensive guidelines to follow for maximum efficiency in their efforts.
There are a variety of reasons why HIPAA implementations have proved more expensive and taken considerably longer than originally anticipated by federal regulators and healthcare organizations alike. The biggest hurdle to overcome is simply the creation of an assessment, testing, and implementation plan. While many government agencies, private foundations, and industry consortiums have established high level guidelines and recommendations of how to address each of the HIPAA Rules, there is no nationally mandated implementation plan or standardized framework for organizations to follow. Each entity is responsible for reviewing the guidelines and determining the appropriate solution. The published recommendations are at a very abstract level and require much interpretation to formulate an actual implementation strategy. With a lack of clear direction, many entities have difficulty determining the best path for them to follow to satisfy each requirement. Furthermore, without an apparent plan or timeline, it becomes extremely difficult for organizations to generate realistic cost estimates for their compliance efforts and likewise secure the necessary budgetary commitments. This point has been demonstrated consistently since the first HIPAA implementations began. National cost estimates of HIPAA efforts are approaching a factor of ten higher than what regulators estimated when the law was first enacted (Coats, Acharya, Saluja, and Fuller, 2012).
One of the major steps towards fully meeting the HIPAA regulations is the implementation of an EHR system. With over 90% of healthcare providers in some stage of an EHR solution, HIMSS indicates that as of December 2011, only 66 hospitals, just over 1% nationally, have actually achieved Stage 7 – the final EHR adoption stage (Blumenthal and Tavenner, 2010). Furthermore, even with the federal government offering anywhere from $100,000 to over $2 million per provider, per year just to demonstrate the 'meaningful use' of a partial EHR implementation, only about 41% of providers have cashed in. Over $5.5 billion has already been paid to healthcare providers participating in the Meaningful Use program, but almost another potential $8 billion is being left unclaimed. Clearly providers are being given the proper motivation to implement EHR systems but are finding themselves ill-equipped to take the necessary steps to accomplish the task.