Preserve Patient Records with Automated Regulatory Compliance

Healthcare has always taken the responsibility to protect Patient Privacy very seriously.  In fact, there are entire departments dedicated to service patient information requests and assess potential violations of privacy.  Every time we read an article in the news or social media about some actor or famous person receiving treatment there is likely a BIG Privacy investigation going on.  I know we love the dirty laundry, but HIPAA is VERY clear that you must have iStock_000047962008.jpga medical or business necessity to view a patient’s records without prior written approval from the patient.  Historically, these investigations start and stop with the Electronic Medical Record.  Most have great audit logging and such that enables you to view who accessed the data and their role in the Patient care.  This can take a phenomenal amount of effort and only accounts for the patient information within the EMR. 

As healthcare is rapidly changing, we KNOW that PHI can be found throughout the modern healthcare organization. HIPAA clearly states that PHI must be protected regardless of the media or format.  How do we as providers meet this regulatory requirement with all these new channels such as email, texting, collaboration tools and Social Media?  How can we protect our information while constantly being asked to share it?

It’s not an easy task, but having the right process and tools can make all the difference in success or failure.

We all know that so much of Patient Care is still done outside of the “official” medical record.  PHI can be found in emails, spreadsheets, word documents, presentations, text messages and many collaboration tools.  Often times healthcare organizations have great difficulty identifying the PHI from other data.  We have found through healthcare focus groups that it costs about $8/record to properly secure PHI according to HIPAA.  I have often wondered that if you cannot identify or differentiate the PHI from other, does an organization have to secure EVERY RECORD at $8/record?  We have tried blanket techniques in the past, such as encrypt every PC or laptop just in case, but it still does not get you to an accurate inventory of records lost.  We have tried policies that require ALL to only have PHI in secure locations, but human nature prevails absent technical controls.

So enough about what you already know and on to our perspective of how to achieve automated Regulatory Compliance.  You see at VERITAS, we believe that your information is the foundation of your business.  We have assisted 86% of the fortune 100 customers identify, protect and leverage their information. For healthcare, the PHI is not only an asset that needs to be secured, it is the future of healthcare.  It all really starts with visibility – being able to differentiate the PHI from all other data.  This can be done with a number of technologies including VERITAS Enterprise Vault and Data Insight.  VERITAS Enterprise Vault has the ability to look into the CONTENT of all supported file types and tell you if it contains PHI.  You can search emails, SharePoint, social media and over 60 other data types for things like Medical Record number or Social Security number.  This will simplify the process, provide the much needed controls, and actually provide some guidance in terms of how your data should be classified.  We have even done nightly extracts of medial record numbers for an exact content match against unstructured data.  Once the data has been classified, you start moving into the arena of true control.  Enterprise Vault will apply your organizations policy to that data.  A good example of this is Enterprise Vault’s management of PHI within the cloud.  Many organizations are concerned about PHI extended into the cloud where control is outside of the organization – Enterprise Vault will make sure to determine if it should be archived to the cloud, tag it for searches, supervision or eDiscovery, and set the appropriate retention schedule.  If certain types of content are present – it can even send the item to Compliance or Security for review.

Data Insight takes the visibility across file shares and applies additional controls. Once classified by VERITAS or other Data Classification System, Data Insight can automatically apply your organizations policy.  Sometimes this means sending an alert to the employee and/or manager stating “PHI was found outside of the authorized or secure location.”  Other times organizational policy dictates that it is moved to a secured location or encrypted.  Data Insight can automatically apply the controls your organization specifies within policy! We have seen advanced uses of this approach to identify and protect formularies, treatment protocols and mental health/recovery data.  Some customers have even adapted the toolset to track and prevent insider threats.  If you see a researcher downloading 100MB a day when they typically access 2-3MB, it might warrant a closer look…

I consider this the basic blocking and tackling of healthcare data management, but there are even greater opportunities to automate regulatory compliance.  We are also seeing an increase in the use of eDiscovery within healthcare.  Regardless if used for litigation hold or to facilitate open record requests, eDiscovery tools can dramatically reduce your costs AND your time.  I have had the dubious pleasure of supporting Legal or Compliance with a number of healthcare related cases.  It amazes me how much interaction and time it takes to put an organization or subset on litigation hold.  Traditionally, this meant communicating the needs to a very small, discrete technical team, creating copies of all data, storage, mailboxes, etc for an indeterminate amount of time.  I have seen healthcare organizations that dedicate an FTE or two full-time to Legal.  But that is where the effort and costs just begin!  Legal will then pay staff or outside consultants to review each item at an average cost of say $.80/page.  They must then determine if it is relevant, included and needs redaction.  What a burdensome, slow and expensive process!  Yet this is how it works in many healthcare organizations. 

Veritas eDiscovery technologies removes the pain, time and costs for eDiscovery.  With workflow developed by lawyers for lawyers, the tool enables the Legal team to automatically put information on litigation hold.  Imagine the efficiency and privacy enabled when Legal directly holds data without the resource need from IT! In addition, the technology enables a process workflow that maintains immutable copy and chain of custody.  The evidence collected will hold up in court.  The tool can then be used to automatically search for relevant data and provide defensible deletion and redaction evidence.  It is with this power that most of our customers pay for the tool with the first case!  I have customers where a single case would cost $1.1M or more in Outside Legal review costs alone.  The automatic searching and redaction reduced those costs to less than $300k.  In fact, eDiscovery often has the fastest ROI in the VERITAS portfolio.

Healthcare has a critical mission and an awesome responsibility. What #healthIT trends are you seeing in the industry?

The Veritas team will be at HIMSS 2017. Please stop by our booth to discuss your compliance needs or any of these topics in more depth.

1 Comment

Informative and insightful article.  Healthcare topics are very useful -- thanks for sharing, Rick