Towards HIPAA-compliant healthcare systems

In healthcare domain, there is a gap between healthcare systems and government regulations such as the Health In-surance Portability and Accountability Act (HIPAA). The violations of HIPAA not only may cause the disclosure of patients ’ sensitive information, but also can bring about tremendous economic loss and reputation damage to health-care providers. Taking effective measures to address this gap has become a critical requirement for all healthcare entities. However, the complexity of HIPAA regulations makes it dif-ficult to achieve this requirement. In this paper, we propose a framework to bridge such a critical gap between healthcare systems and HIPAA regulations. Our framework supports compliance-oriented analysis to determine whether a health-care system is complied with HIPAA regulations. We also describe our evaluation results to demonstrate the feasibility and effectiveness of our approach

Theory of Regulatory Compliance for Requirements Engineering

Regulatory compliance is increasingly being addressed in the practice of requirements engineering as a main stream concern. This paper points out a gap in the theoretical foundations of regulatory compliance, and presents a theory that states (i) what it means for requirements to be compliant, (ii) the compliance problem, i.e., the problem that the engineer should resolve in order to verify whether requirements are compliant, and (iii) testable hypotheses (predictions) about how compliance of requirements is verified. The theory is instantiated by presenting a requirements engineering framework that implements its principles, and is exemplified on a real-world case study.Comment: 16 page

HIPAA Compliant Patient-Provider Communication: Student-Clinician Perceptions

Purpose: To evaluate the service learning clinical training facility’s HIPAA training by assessing student-clinician knowledge of the clinic’s HIPAA Compliance Plan and the impact of its training on student-clinician perceptions toward HIPAA-compliant patient-provider communication (PPC). For example, do student-clinicians feel it is important to be HIPAA-compliant and are they confident in discussing health-related activities and programs with patients or caregivers? The purpose of this project is not, at this time, to measure student-clinician intention to perform the behavior. Methods: This project employed a mixed-methods, non-experimental cross-sectional study design using a retrospective post-test survey and group interview. The survey was administered to student-clinicians (N = 39) at the service learning clinical training facility who were enrolled in the speech-language pathology and audiology programs. Survey responses were analyzed using the Wilcoxon Signed Rank test and descriptive statistics assessing knowledge. A group interview was conducted with a subset of first-year student-clinicians (n = 2). The group interview provided additional context and insight into how student-clinicians may actually perform when presented with the most common clinical scenarios for PPC at the clinic such as, 1) caregivers accompanying clients into the exam room, 2) email communication with a caregiver requesting information to assist the client, and 3) communication with a client in a public space. Common themes and the most common responses for each scenario were identified. Results: Overall, the Wilcoxon-signed rank test showed that the clinic’s HIPAA training produces a statistically significant improvement in student clinician perception six months post training as it relates to HIPAA-compliant PPC through analysis of perceptions toward self-efficacy (Z = -4.814, p Recommendations: 1) Based on the findings of the service learning activities and the evaluation, implementation of HIPAA training sessions periodically throughout the academic year in addition to continuation of the current annual training session should be completed. 2) Further evaluation of the clinic’s workforce in relation to behavioral intention to complete HIPAA-compliant PPC should be completed through replication of the evaluation using a traditional pre-post survey administered immediately before, after and 6 months post annual training. 3) The Clinic should implement electronic forms to assist the workforce when reporting a breach in HIPAA privacy. An electronic reporting process might enable a greater sense of one’s ability to perform a behavior while increasing confidentiality of the reporter

A Comparative Analysis of HIPAA Security Risk Assessments for Two Small Dental Clinics

Cyber security risk assessments in the healthcare industry are legally required and demand an ongoing investment of time and resources. Small healthcare clinics are less likely to have streamlined processes in place to meet these requirements. This work presents two case studies featuring qualitative Health Insurance Portability and Accountability Act (HIPAA) security risk assessments of small dental clinics using the free Security Risk Assessment (SRA) tool provided by the US Department of Health and Human Services. One clinic used a cloud service provider to safeguard protected health information (PHI) while the other used an on-premises server. The data revealed detailed information relating to the cyber risk posture of each organization within the scope of the HIPAA Security Rule. Analysis included suggestions to mitigate the compliance gaps and vulnerabilities within the environment. Based on the data gathered, a comparative analysis of using the cloud vs. on-premises to manage PHI was conducted to provide insight into the need to balance security with other business requirements. This work provides greater context to the process of conducting HIPAAcompliant security risk assessments, including the responsibilities that small healthcare providers must own to protect their business reputation in the event of a major security incident

Mandated Government Regulations in Healthcare: Is Healthcare It Overregulated? a Post Mandate Study

Over the past decade, healthcare organizations have been subjected to many federally mandated statutes to comply with. Three of the biggest statutes over the last decade are the Health Information Portability and Accountability Act (HIPAA), the Red Flag Rules, and the Health Information Technology for Clinical Health (HITECH). These mandates deal directly with the security of electronic patient information. To date, many entities have provided estimations of cost of compliance. Some have provided quantitative models to calculate the return of IT investments. Very few have attempted to look retrospectively and determine the level of and barriers to compliance. This quantitative study used a similar study as the framework to build upon. The study in part used survey questions from Mhamed Zineddine\u27s doctoral dissertation titled, “Compliance of the healthcare industry with the Health Insurance Portability and Accountability Act security regulations in the Washington State: A quantitative study two years after mandatory compliance. The survey asked hospital Information Technology directors and managers questions to look at the level of compliance with the Health Insurance Portability and Accountability Act standards. Additionally, the survey asked questions to determine the impact on a health care organization when attempting to comply with multiple government mandates simultaneously. The analysis is an attempt to answer the question “Is Healthcare IT over regulated

Assessment of HIPAA compliance: a comparison study of current implementations

The Health Insurance Portability and Accountability Act (HIPAA) is a set of federally mandated regulations passed down to the healthcare industry in an attempt to simplify administrative procedures and reform the insurance market. HIPAA intends to provide healthcare savings by reducing administrative costs by standardizing electronic administrative processes throughout the healthcare industry. It also intends to protect individual privacy from outside agencies with tough new privacy and security measures that include physical security as well as electronic security. As healthcare organizations attempt to become complainant with the new regulations a deadline for HIPAA compliance looms nearer threatening the organizations with the possibility of fines for infractions of the federal regulations. The National Committee on Vital Health and Statistics (NCVHS) recently commented that they were surprised and disturbed by high levels of confusion and frustration regarding the compliance efforts of healthcare providers. In this thesis research is performed to assess the HIPAA readiness of local healthcare providers, specifically Mercy, Methodist, Broadlawns and Mary Greeley hospitals. The data collected from these healthcare organizations is used to compare and contrast the local organizations with each other and against a national benchmark. The results of this comparison show differences within each local health care organizations approach to HIPAA compliance, their concerns and overall perceptions of the HIPAA Act of 1996. Another result of this thesis is an assessment of local HIPAA readiness is relation to national levels of compliance

Harmonizing Regulatory Regimes for the Governance of Patient-generated Health Data

Patient-generated health data (PGHD), created and captured from patients via wearable devices and mobile apps, are proliferating outside of clinical settings. Examples include sleep trackers, fitness trackers, continuous glucose monitors, and RFID-enabled implants, with many additional biometric or health surveillance applications in development or envisioned. These data are included in growing stockpiles of personal health data (PHI) being mined for insight by health economists, policy analysts, researchers, and health system organizations. Dominant narratives position these highly personal data as valuable resources to transform healthcare, stimulate innovation in medical research, and engage individuals in their health and healthcare. Large tech companies are also increasingly implicated in these areas, through mobile health application sales and data acquisitions. Given the many possible uses and users for PGHD, ensuring privacy, security, and equity of benefits from PGHD will be challenging. This is due in part to disparate regulatory policies and practices across technology firms, health system organizations, and health researchers. Rapid developments with PGHD technologies and the lack of harmonization between regulatory regimes may render existing safeguards to preserve patient privacy and control over their PGHD ineffective, while also failing to guide PGHD-related innovation in socially desirable directions. Using a policy regime lens to explore these challenges, we examine three existing data protection regimes relevant to PGHD in the United States that are currently in tension with one another: federal and state health-sector laws, regulations on data use and reuse for research and innovation, and industry self-regulation of consumer privacy by large tech companies. We argue that harmonization of these regimes is necessary to meet the challenges of PGHD data governance. We next examine emerging governing instruments, identifying three types of structures (organizational, regulatory, technological/algorithmic), which synergistically could help enact needed regulatory oversight while limiting the friction and economic costs of regulation that may hinder innovation. This policy analysis provides a starting point for further discussions and negotiations among stakeholders and regulators to do so