The problem is manifested in a disconnectedness of EHR integration of Williams Medical Services (WMS) from Leonard Williams Medical Center’s (LWMC) implementation of a computerized physician order entry (CPOE) system, where the latter is supervised by the chief information officer (CIO) and IT department. The lack of cooperative measures between LWMC and WMS can incur significant costs alongside operational inefficiencies (Sinhasane, 2019). The scope of the issue is large and organization-wide because it involves not only WMS but also LWMC. After all, the improper integration of EHR will impact both due to interoperability. It is stated that “despite government incentives and regulations to encourage greater interoperability, data sharing remains a serious issue among healthcare providers” (Langlois, 2021, para. 16). The issue is highly significant because it affects both organizations. The EHR implementation needs to be effective and well-coordinated because their operations rely on each other.
The case presents a situation where organizations, specifically LWMC, do not adhere to standard safeguards to protect the privacy and security of health information of their patients. Following the Health Insurance Portability and Accountability Act of 1996 (HIPAA), part 164, subpart E, § 164.530 Administrative requirements, (c)(1) on Standard: Safeguards, “a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information” (U.S. Department of Health and Human Services, 2013, p. 112). In other words, it is safe to state that the lack of supervision from the CIO and IT department alongside the EHR implementation solely by healthcare professionals indicates the lack of such safeguards.
Similarly, according to HIPAA, part 164, subpart E, § 164.530 Administrative requirements, (2)(ii) on Implementation specification: Safeguards, “a covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made under an otherwise permitted or required use or disclosure” (U.S. Department of Health and Human Services, 2013, p. 112). In other words, the hesitance from the CEO to enforce intervention and supervision of the CIO and IT department of the EHR implementation at WMS indicates that no reasonable safeguards are put in place since WMS physicians might not be competent in these matters. Therefore, the management needs to consider the HIPAA standards, specifically administrative requirements, if they want a proper integration of EHR.
Both internal and external communications systems do not fully comply with the health information privacy and security standards and regulations, but the definitive judgment can only be made after both LWMC and WMS complete their EHR installations and establish their interoperability. However, at the moment, the lack of cooperation might not comply with HIPAA, part 164, subpart E, § 164.522 Rights to request privacy protection for protected health information, (b)(1)(ii) on Standard: Confidential communications requirements. It states that “a health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations” (U.S. Department of Health and Human Services, 2013, p. 105). Since WMS provides tertiary medical services to LWMC’s patients, the latter might request their confidential health information. However, the lack of interoperability and well-coordinated communication systems between WMS’s EHR and LWMC’s CPOE might not comply with the accommodative needs of the regulation.
The assessment of the organization’s communication system needs to be done in all three types of systems. There are provider-to-provider systems, provider-to-patient systems, and internal messaging systems (HIPAA Journal, 2021). The case is centered around provider-to-provider systems if LWMC and WMS are considered separate organizations. The fact that physicians ignored CIO’s technical advice violates HIPAA, part 164, § 164.308 Administrative safeguards on Standard: Assigned security responsibility. The latter states one needs to “identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate” (U.S. Department of Health and Human Services, 2013, p. 64). In other words, such an official can be the CIO, who was not contacted, and hence, identified.
WMS physicians ignored CIO’s technical expertise, which should not happen if the organizations have strict management policies, which means that they do not have the necessary regulations at the enterprises. HIPAA, part 164, § 164.308 Administrative safeguards on Risk management states that healthcare organizations must “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” (U.S. Department of Health and Human Services, 2013, p. 64). The lack of policies enforcing cooperation indicates that reasonable measures are absent regarding risk management.
The organization has HIPAA, part 164, § 164.308 Administrative safeguards on Sanction policy to address the problem. It states that the management can “apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate” (U.S. Department of Health and Human Services, 2013, p. 64). In other words, the CEO, as well as CIO, have the authority and obligation to punish WMS’s physicians for noncompliance with the HIPAA regulations since they are violating patient health information’s security and privacy by not involving the CIO and IT department. By imposing these sanctions, the organization will ensure that such behaviors will not be tolerated and punished.
References
HIPAA Journal. (2021). The three categories of communication systems in healthcare. HIPAA Journal. Web.
Langlois, L. P. (2021). Overcoming the top EHR implementation challenges. Physician Practice. Web.
Sinhasane, S. (2019). Top 10 EHR implementation challenges and how to overcome them. Mobisoft. Web.
U.S. Department of Health and Human Services. (2013). HIPAA administrative simplification. Web.