As healthcare continues to digitally transform, integrating health data among various IT stakeholders demands much more collaboration than our predecessors could have imagined. Once focused intensely on preventing fraud, waste, and abuse and ensuring high-quality patient care, the compliance department is tasked with maintaining programs that meet the regulations and laws of numerous government bodies pertaining to various areas, especially electronic protected health information (ePHI). Similarly, while the health information management (HIM) department and privacy officers were once knee-deep in paperwork, they’ve transitioned efforts to the privacy of electronic data, including addressing right-to-access requests and concerns. Security officers safeguard, protect, and monitor this information, in addition to other data and systems.
Likewise, IT departments were once charged with the basic upkeep of internal systems, including enablement of tasks related to patient throughput, administrative functions, billing, and e-mail. Expectations were generally limited to software updates, bug fixes, and solving computer and system usability issues. Responsibilities relating to the storage and accessibility of electronic information were minimal. Until recently, there was little reason for workers in the IT department to collaborate with those in privacy, compliance, security, or the end user. Now, with the proliferation of digital patient records and the technologies that enable their access and interoperability system-wide, IT roles have expanded in breadth and depth.
As the industry has moved farther and farther away from traditional paper records and associated paperwork, the silos that once separated these departments no longer exist. The IT department is not only on the front lines, ensuring technical operations run as smoothly as possible, but it is also a part of a collaborative team that helps healthcare organizations remain compliant and keeps patient data safe. This intertwining of key organizational roles enables, if not require, communicative working relationships, proactive strategies for success, and ongoing maintenance of compliance as today’s complex healthcare environment continues to evolve.
1. IT and privacy
A healthcare organization’s IT department and chief privacy officer should have a strong working relationship. As IT fields user difficulties, complications, or complaints, IT staff must frequently communicate with the privacy staff. For example, as the first line of defense, IT may learn from a user that the user received communication about a records request despite not personally making the inquiry. IT has an escalation plan that includes notifying privacy staff about potential breaches and how the IT department can help in the investigation —and subsequent remediation —if needed.
More proactively, IT staff and the privacy officer must be closely aligned before system rollouts. Staff must be educated on topics like password hygiene so that the sharing of passwords is minimized or eliminated altogether. These departments also collaborate on ensuring access controls are appropriate and up to date as employee responsibilities and status of employment change. Optimally, IT and privacy will work together to develop a robust plan that yields continuous safe, compliant outcomes, avoiding any problematic gaps.
2. IT and compliance
A healthcare provider’s compliance officer should maintain a strong working relationship and communicate regularly with IT management, including IT project managers, IT security managers, and directors. As users interface directly with the systems in place, IT management understands the various risks, common questions, and opportunities for error throughout the user’s workflow. Compliance will consistently communicate with IT regarding the use of equipment as well as various service-level agreements in place to ensure compliance needs are met. The two departments must work together to modify and improve processes in areas where a failure point is identified.
Compliance ensures the organization meets the government’s requirements regarding data protection, consideration of the risk of breaches, and non-compliance penalties. Based on the ongoing feedback and information IT provides, compliance employees can audit, monitor, and take necessary steps to ensure organizational compliance on various fronts; regular communication is key. They also ensure qualified subject matter experts in privacy and security are doing their part to work with IT to ensure a seamless process.
3. IT and security
Security was once a siloed department, but given the sheer volume of health data and access requirements, there is a growing overlap between security, compliance, and IT teams. As the patient right of access has expanded to include all ePHI as of October 2022, providers, health IT vendors, and health information exchanges must expand the breadth of information patients can access in a secure – yet seamless – manner. It’s vital for the IT department to regularly connect with security experts about the security risks of current — and future — platforms.
For example, when IT staffers experience frequent resetting of passwords by users, it’s important they work with security officers to identify the cause of the issue and any additional vulnerabilities. IT and security can also collaborate to ensure ongoing success and risk mitigation, particularly as it applies to new system rollouts. Security is responsible for performing penetration tests and ensuring compatibility regarding existing systems, including the EMR, to safeguard data. Likewise, partnering with compliance and privacy to understand risk from a reputational, operational, patient safety, and financial standpoint will help establish a reasonable allocation of resources regarding IT protection.
4. IT and end users
Finally, the IT department should communicate regularly with end users to identify and rectify potential gaps in the platform or workflow. It’s one thing to ensure a smooth, error-free process in the test environment, but it’s an entirely different experience in the real world. It is critical for IT to maintain user allies internally within the organization and find out if they are observing or experiencing issues the developers are not. For example, IT is privy to user information regarding passwords, which, when weak, compromise the safety of the entire system. They can assist users by suggesting strong passwords and providing education about password hygiene and general system safeguards.
IT also directly communicates with end users or patients about challenges or gaps they experience when accessing a portal or related system. IT is the front line and should maintain an ongoing conversation about usability, performance, and potential improvements. By doing so, IT can expect that users will identify and report on issues in a regular, timely manner. This partnership will yield more intuitive, powerful technological solutions that generate greater satisfaction, benefitting all stakeholders.
Regular communication among various IT stakeholders is imperative. Gone are the days of standalone systems and siloed departments. Today, IT’s interaction with key organizational decision-makers is integral to safeguarding patient data, a primary component of delivering quality patient care.
About Elizabeth A. Delahoussaye
Elizabeth A. Delahoussaye, RHIA, CHPS, is the Chief Privacy Officer for Ciox, a Datavant company, and is based out of Knoxville, Tenn.