Teaching Hospital Employees
The Health Insurance Portability and Accountability Act (HIPAA) is the primary legislation that regulates how personal health-related information is managed by healthcare institutions. Because of the increasing number of privacy-related issues concerning this data, it is imperative that all employees have the necessary knowledge and training to manage personal health information properly (Amatayakul, 2013). All employees should participate in a mandatory training program that is aimed at raising awareness of the importance of handling patient health records securely. Requirements imposed by HIPAA should be delivered in the form of clear objectives and methods of reaching these organizational goals.
The presence of patient health information is a necessity for a productive workflow within healthcare institutions. Therefore, it is inevitable that some of the data will be shared between hospital staff. Some of the examples of regularly exchanged information are electronic health records, demographic data of patients, and insurance information for billing purposes. These pieces of data come from patients under a variety of circumstances (Amatayakul, 2013). For instance, a registrar collects demographic and insurance information before referring the patient to a doctor, and the doctor collects further data by asking questions and examining the patient. Laboratory tests also provide data that should be safeguarded and managed appropriately. Therefore, any individual may be subject to suspicion when data leakage occurs. For instance, a clerk may unintentionally disclose private demographic data to other individuals, and doctors may share private information when having informal conversations. Moreover, laboratory staff may discuss the details of test results with individuals that are not authorized to have this information. To avoid such situations, information sharing should take place within an electronic system that is restricted from external access.
Penalties for breaching personal health information can be divided into two categories – civil and criminal. In both cases, the severity of punishment is determined by whether or not the individual who disclosed the data acted knowingly. Civil penalties usually result in payments from 1000 dollars to 50000 dollars per violation (Amatayakul, 2013). Criminal penalties include both monetary compensation and imprisonment for up to 10 years.
Personal health information is especially vulnerable while changing working shifts. The reason is that computer equipment may be unattended, and physical documents may be left on a desk. Therefore, it is imperative that all employees close programs that contain sensitive information (Amatayakul, 2013). Also, they should not leave important documents unattended – they should be kept in a locked drawer or another compartment. Under no circumstances health records may leave the healthcare facility – employees should not be permitted to take critical files and papers home.
Audit and Risk Mitigation
The internal audit program is aimed at evaluating whether or not a healthcare institution is meeting its objectives in protecting critical health-related patient information. While auditing can be performed on behalf of an external entity, internal audit can be turned into an iterative process that will improve compliance significantly. Ideally, there should be a separate department that manages risks and ensures compliance (Amatayakul, 2013). This department will be responsible for identifying areas that should be improved and providing assistance in meeting these objectives. While it should be a separate entity, its members may be composed of individuals from other critical departments, such as HR and top management. The first practice that should be evaluated by the audit team is how protected health information is stored and cataloged. It is imperative that all sensitive data is stored in an organized manner. The second practice that should be examined is safety mechanisms that protect that sensitive data. Risk mitigation plans are also critical, and the audit team should pay attention to those.
The results of the internal audit have the capacity to cause organizational change. Additional employee education may be proposed as a solution to identified shortcomings. Also, the process of handling sensitive data can be streamlined or minimized if such data is not necessary for the context of patient care (Amatayakul, 2013). Finally, the process of overseeing data protection should be made more robust. Risk mitigation fits well in this context because audits often indicate which areas should be improved. The primary objective of the risk assessment plan is to foresee potential vulnerabilities (Amatayakul, 2013). Potential risks include disclosure of information to third parties, failure of a data storage system, and compromised security. Each of these areas should be regularly assessed in order to identify points of failure before an actual failure takes place.
This risk assessment should be conducted each quarter, and the list of potential vulnerabilities should change according to assessment results. If data breaches and misconduct start to occur too often, risk assessment schedules should be adjusted, and evaluation should occur after short time intervals (Amatayakul, 2013). Completion of the assessment plans falls under the responsibilities of those who conduct internal audits. The reason is that they have more substantial knowledge on the topic of compliance and are more aware of what conditions may lead to loss of critical data.
Financial Implications
It is easier to manage sensitive information if it is all located in a central repository. In the case of physical documents, it is not possible to reach a substantial level of centralization because these records should frequently change their locations – doctors may need them, and administrators may require them (Amatayakul, 2013). Switching to an Electronic Health Record (EHR) system may solve the mentioned problems. The primary issue in integrating an EHR system into a hospital’s operations is financial costs. It is not cheap to install and maintain a system that should always balance between security and ease of use (Amatayakul, 2013). Therefore, convincing stakeholders to invest in an EHR system is not a trivial task. The executive officers, department administrators, compliance professionals, and physicians are four parties that have a direct impact on final decisions.
Centers for Medicare & Medicaid Services (CMS) imposes specific requirements for EHR systems and provides hospitals with financial incentives. For instance, the rule of meaningful use requires that hospitals prove that an EHR system positively impacted patient outcomes (Amatayakul, 2013). For meeting this criterion, the federal government provides financial benefits. Therefore, the new EHR system should have the capacity to meet the rule of meaningful use (Amatayakul, 2013). Another program under which CMS grants money relates to interoperability – an EHR should allow a more comfortable sharing of access to data while ensuring high-security standards.
Since EHR is a type of information system, there are no unusual hardware requirements. Servers are necessary to store application data, and the records, desktops can be used to access the system. For increased mobility, laptops and tablet PCs are required (Amatayakul, 2013). Therefore, the final cost of an EHR system is the price of the system and the amount of money required to buy the necessary hardware. The latter element depends on the scale of the hospital – as the number of employees and data grows, so do the memory and processor requirements for servers, and the quantity of desktops and laptops (Amatayakul, 2013). Considering the fact that the cost of EHR systems starts from 3 million dollars, the total investment may equal to 5 million or more. From Epic, Meditech, and Cerner, the former is the most expensive. However, it cannot be said that Epic offers much more features than other vendors. Cerner has the most favorable balance between price and the number of features. Tier 2 will cost approximately 5.5 million dollars in total. This number, however, does not include server costs and purchase of equipment. Therefore, the final price is going to be between 6 and 8 million dollars.
Key components that facilitate privacy and security in Cerner are the built-in intrusion prevention system and protection against denial-of-service attacks. Intrusion prevention is significant because it identifies a breach and undertakes required measures, such as reporting to cybersecurity personnel (Amatayakul, 2013). The availability of the system is also critical; therefore, the system should be resistant to denial-of-service attacks. Besides these security-related features, Cerner should incorporate an access management module. The reason is that the data breach that occurred in the hospital was caused by employee misconduct.
Training
Training Plan and Costs
After installing the EHR system, it is necessary to train all employees. Otherwise, there are going to be no real benefits from integrating the EHR system into the hospital’s operations. Assuming there are 150 individuals during day shift and 50 employees during night shift, it will take a total of 2000 hours of training because 10 hours is sufficient for each employee. Each training session lasts for about 2.5 hours, and therefore, each employee will need to participate in four sessions. Because roughly half of the personnel will have the ability to participate in training while the other half will supervise the operation of the hospital, it can be assumed that the whole training program can be done in 16 sessions. To ensure a comfortable learning experience, there should be small groups. Therefore, 16 sessions get multiplied by four, which results in 64 sessions. As mentioned, each session lasts for 2.5 hours, and assuming the fact that one-hour training will cost 21 dollars per employee, the whole training program will require 42 thousand dollars. It should be noted that the cost of all tiers of Cerner includes employee training.
Below is a sample training schedule for physicians that can be followed to ensure adequate hospital operation while some employees are off at training.
Therefore, it will require four weeks so that all physicians complete their training. A train-the-trainer program may help reduce the costs of training new employees. Instead of purchasing a separate training for each employee, current staff may teach the newcomers. Each trained employee may be made responsible for teaching one new worker.
Transition Plan
The transition can be broken into three phases – data migration, training of employees, and pilot launch. During data migration, technical personnel are responsible for the safe and reliable transfer of information from the old EHR system to the new instance. After all data is successfully transferred to the new system, training sessions may be conducted. Employee training may be facilitated by drawing comparisons between two systems and how functions of the old system may be mapped to the new EHR. At the same time, improvements and differences should be emphasized so that employees understand why the EHR switch was necessary and how to leverage the benefits of the new EHR system. Competency with the new system can be evaluated using tests and hands-on labs. In tests, employees may be asked how the functions of the old EHR system can be executed in the new instance. Hands-on labs can be developed which ask employees to perform specific actions with the new EHR system. The results of these assessments will reflect the employees’ level of knowledge.
Chief technical officers, department heads, and compliance specialists should be on-site during the transition period in order to support staff if they have any difficulties with using the system. The technical officer is responsible for any discrepancies in the functioning of the EHR system. If the system was configured incorrectly, the officer should contact the vendor and require immediate assistance. Department heads should be present to support and assist their subordinates. Finally, a compliance officer should be on-site to provide information about how each of the components of the EHR system will facilitate secure storage, and explain how to handle data adequately. The majority of functional errors should be eliminated during the training stage. The last phase of the transition period should only deal with minor mistakes.
The hospital will receive financial awards from the federal government for successfully using information systems to improve patient outcomes. Therefore, the share of this benefit may go to employees that demonstrate expertise in using the new EHR system in order to incentivize learning. Results of knowledge assessments may be used as the basis for rewards. It is imperative to collaborate with the administration in this context – results may be provided to the administration, who, in turn, calculate the amount to be awarded.
References
Amatayakul, M. (2013). Electronic health records: A practical guide for professionals and organizations. American Health Information Management Association