Serving as a framework for the process of governing businesses, governance is an essential aspect of healthcare organizations. Institutions with strong data governance practices facilitate patient trust, maintain HIPAA compliance, and protect themselves from the high costs of a data breach. But how do they accomplish this? To better understand how these concepts connect, here are four data governance best practices for healthcare organizations.
1. Using governance data to identify areas of risk
Once an organization develops sound policies, procedures, and controls, data can be run to evaluate teams, personnel, and areas of the organization that may be at risk for threats against patient privacy. This increases visibility within an organization to identify potential weaknesses. It is coworker snooping? Household snooping? Self-access? Data governance can help determine the answer.
2. Utilizing governance data to create workflows and provide custom training
With the added visibility into areas of potential weakness that governance data provides, healthcare systems can establish a workflow, identify gaps, and provide education to departments that need it most.
When Beth Hunt took on her role as Chief Compliance Officer at Southeastern Health, she used data based on policies and procedures as an educational tool – and a disciplinary one, when necessary – to help her team obtain the information they needed to protect compliance at her organization.
“The only way you’re going to get meaningful compliance – and shift your culture of compliance – is helping people understand the why, that this is not just me policing your activity or being the bad guy.” – Beth Hunt, Chief Compliance Officer at Southeastern Health
3. Protecting your organization against breaches and OCR audits with data governance
In order to maintain HIPAA compliance, patient privacy, and security, every medical organization is subject to a potential audit by the Office of Civil Rights (OCR). In the event that a breach is discovered either by the OCR or the health system itself, accurate governance data can protect the facility from costly HIPAA violation fines.
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, there are four tiers of culpability in the event of a HIPAA violation:
Tier 1, No Knowledge: Organizations that couldn’t have known about an incident and made a genuine effort to protect itself ahead of time.
Tier 2, Reasonable Cause: The organization either knew or should have known about the violation after performing due diligence, but the violation itself didn’t occur as a result of willful neglect.
Tier 3, Willful Neglect – Corrected: Although the violation was caused by negligence, it was corrected in a timely manner.
Tier 4, Willful Neglect – Not Corrected: Caused by neglectful behavior and action was not taken in a timely manner to correct the problem.
Originally, the penalty for all four tiers had a limit of $1.5 million per year. But as of 2019, The Department of Health and Human Services (HHS) announced a major change to penalties for HIPAA violations. Under the new rules, annual limits for the first three tiers have been drastically reduced to as low as $25,000 maximum.
With governance data to show that an organization is doing its due diligence to maintain compliance, security, and patient privacy, organizations can potentially save over a million dollars in fines in the event of a HIPAA violation.
4. Sharing governance data through teams to break down silos within an organization
On top of preventing hefty fines in the event of a breach, governance can help organizations collaborate and work toward a single goal. In any organization, different departments take on compartmentalized tasks, causing them to have different viewpoints on what privacy measures need to be prioritized. With the information that governance provides, different teams gain visibility into areas of strength and weakness within an organization’s privacy program, which can aid in aligning different teams to work towards the same goal. The visibility that this provides can help an entire organization see the big picture about privacy.
With these four best practices, taking full advantage of what governance data has to offer can provide the necessary tools to strengthen compliance programs, streamline workflows, and nurture a culture of compliance at healthcare organizations.