In preparation for NCHICA’s 25th Annual Conference from September 16-18, 2019, Beth Hunt, Chief Compliance Officer at Southeastern Health, and Lisa Fiene, Training Manager at FairWarning, joined Janet Kennedy of Get Social Health for the Healthcare IT Trends Buzz Podcast to discuss growing and maintaining an effective HIPAA compliance program.
Southeastern Health is a non-profit organization in Lumberton, NC with 2,500 employees and 452 beds. Although Southeastern serves a small, rural area, they’re a large healthcare system built to serve their community’s needs. But when Southeastern’s HIPAA Specialist left, they took all knowledge of the organization’s compliance program with them. After being thrown a major curveball, how was Southeastern able to streamline their workflow and bolster their HIPAA compliance program?
1. Establish a workflow
Beth began by performing a policy review to look at procedures for compliance, discipline, and fine-tuning workflows to ensure they worked for the organization.
“You need to really need to come in and see where an organization is at and then implement a plan to get them to the spot where they want to be.” – Lisa Fiene, Training Manager at FairWarning
Southeastern Health’s plan involved identifying compliance gaps and training themselves on their patient privacy monitoring program. Reaching out to their existing vendor and partnering with a Managed Privacy Services (MPS) Analyst streamlined Southeastern’s workflow by consolidating incident reports and providing actionable insights for Southeastern’s HR department, saving Beth five to six hours of work per week.
2. Adopt patient privacy monitoring
Although Southeastern already had a partnership for patient privacy monitoring, their HIPAA Specialist took the knowledge of how to use the program with them when they left the organization. Beth realized that she needed to rebuild the compliance process for her organization and take full advantage of the vendor they already had. By re-training herself and staff on the program while establishing a system to standardize their alerts, Beth was able to drastically reduce the amount of alerts she received.
“We went from having 2-3,000 alerts in a week to being down to five to six because we’re able to address them that efficiently.” – Beth Hunt, Chief Compliance Officer at Southeastern Health
Southeastern monitors user activity to identify coworker snooping, household snooping, high volume access, and any behavior that could be identified as a red flag. Alerts range from scenarios when an employee logs in to find a coworker’s address to send a birthday card all the way up to nefarious intent. Although most alerts are non-malicious or non-intentional, these types of access must still be addressed.
“If you can go into your chart and do something to it, that invalidates the security for everybody.” – Beth Hunt, Chief Compliance Officer at Southeastern Health
Instead of utilizing user activity monitoring strictly as a disciplinary tool, Beth uses it as a way to educate staff and bolster a culture of compliance at her organization.
3. Provide training
Thanks to the accuracy provided to her by her MPS analyst, Beth focused on delivering effective training to Southeastern staff to help them understand the rules and why they should follow them.
Alerts don’t necessarily have to end in termination and can instead be used to provide education. Nevertheless, employees must conform their behavior according to the learning provided.
“The only way you’re going to get a meaningful compliance – and shift your culture of compliance – is helping people understand the why, that this is not just me policing your activity or being the bad guy.” – Beth Hunt, Chief Compliance Officer at Southeastern Health
Lisa Fiene, Training Manager at FairWarning, stressed the importance of establishing a training program by determining who will need training the most among leadership and employees, then tailoring the training to suit an organization’s needs.
At Southeastern Health, this was challenging – the organization had to shift from having a small-town culture where everyone knows each other’s business and looks out for one other – to being strict about protecting compliance and patient privacy.
“It’s not the southern way, that’s just not the way we’re built.” – Beth Hunt, Chief Compliance Officer at Southeastern Health
But with the level of education Beth provided to her staff, she’s noticed a significant improvement in the level of compliance at Southeastern Health.
“We’ve seen a huge shift in the culture of compliance at our organization” – Beth Hunt, Chief Compliance Officer at Southeastern Health
Facing these challenges in the pursuit of nurturing a strong compliance program was no simple task – Southeastern Health contended with three catastrophic hurricanes in the past three years. Furthermore, the organization is one of the few independent hospital systems in the state, serving one of the poorest and most unhealthy counties. But even under these circumstances, Southeastern Health built an inspiring culture of compliance by streamlining their workflow, monitoring for patient privacy, and establishing a training program to remediate privacy incidents.
“If Southeastern can do it, anyone can do it.” – Beth Hunt, Chief Compliance Officer at Southeastern Health