At Courion, we strive to provide the most innovative solutions possible to allow our customers to detect and remediate risks across all organizations in any industry. We read, we research, and we do our best to stay on top of every new threat, breach, rule, and regulation. However, to truly understand what is happening in the industry and on the ground every day, we turn to the experts who have lived through these scenarios and can help us better understand what you need as a customer.
Today, we welcome one of these experts to our blog in the first post of a new series we will call “An Interview with the Expert”. This week’s guest is Mr. William “Buddy” Gillespie, a highly accomplished visionary, driven Senior Healthcare IT Executive. Mr. Gillespie is a leader with extensive experience and achievements within Healthcare Information Technology (HIT) including strategic positioning, budgeting, staff recruitment, customer service, and implementation and consulting, customer support, customer relationship management, privacy and security sales/marketing and collaborative relationship positioning with multiple HIT vendors and business associates.
He has expertise in Health Information Technology, HIPAA Privacy and Security (HCISPP Certified) and most recently with Analytics and Health Information Exchange (HIE) has included extensive work with Electronic Medical Records (EMR), state-wide HIEs, and marketing of Disaster Recovery/Cloud Hosting solutions.
A certified Healthcare Information Security and Privacy Practitioner (HCISPP), Mr. Gillespie served as the VP, CIO, and CTO at WellSpan health, an integrated delivery system based in York, Pennsylvania and serving more than 70,000 people in south central PA. As the CTO, Mr. Gillespie was responsible for the strategic and tactical efforts surrounding the business and clinical systems at WellSpan. Now “retired”, he works as a consultant, presenter, and active member of several prestigious organizations.
Here is what Mr. Gillespie had to say:
Courion Corporation: What are the biggest challenges you have seen in the last 6 years?
Buddy Gillespie: The last 6 years has been a fast-train for Health Information Technology and has resulted in a huge magnitude of change to the delivery of healthcare. The major force vector behind the high rate of change has been the HITECH Act. There is no doubt that this Act was the major catalyst to get hospitals to invest in the EMR and other related technologies. The number one change has been in the way patient care is delivered. Physicians, for the most part, no longer fight technology but embrace it. The question on the table, is will the changes sustain or will they fall back, we can only hope that Meaningful Use is “too big to fail”.
CC: What are the strongest emerging drivers and trends in healthcare?
BG: I would say the sustainability of HITECH, Electronic Health Records, Meaningful Use, and the Triple Aim.
In 2009, the HITECH Act was signed into law which established the goal to implement the Electronic Health Record across all healthcare providers and thereby establish a road to have every caregiver to utilize the EHR in a manner which constitutes a “meaningful use” of the patient data. Rules were established to define Meaningful Use and if the provider achieved the goal incentive payments would be paid to the providers. The Act was setup into three phases and each phase have its own criteria/rules to define the objectives for achievement. Ninety percent of providers have achieved the first two phases and over $20 billion dollars have been paid-out in incentives. The criteria for the final phase have been released and providers are gearing up. The ultimate goal of the HITECH Act and Meaningful Use is to meet the three pillars of the Triple Aim: Reduce the cost of healthcare, increase quality and improve the patient experience. The question now becomes how successful have the first two phases been in meeting the goals of the HITECH Act and the Triple Aim. Surveys to that regard have resulted in mixed reactions. While the overall feeling is positive some have responded that the Act has created additional burden on an already excessive patient load for physicians. There is no doubt that the Act has resulted in the expansion of the EHR to a level never before seen in healthcare. Today over 50 percent of physician practices and over 60 percent of hospitals have implemented a robust EHR. Phase Three will be the ultimate test of the success factors for the HITECH Act. That phase will build on the first two phases and take into account the pros and cons of the first two phases.
In my opinion the real critical success factor will be sustainability. Once the dollar incentives are gone and the “awe gee” reaction has passed, will the current level of Meaningful Use survive? I think not unless health systems and providers continue to monitor, nurture and invest in the resources and technology to sustain Meaningful Use.
CC: We’ve all heard about the new phase 2 for the OCR and the HIPAA Audit program. What do you think will be the biggest impact and how can companies prepare?
BG: The Office for Civil Rights (OCR) has announced that they are ready to start the second phase of the HIPAA/HITECH audit program. The scope of Phase 2 will be to audit 200 plus covered entities. The audit criteria will be benchmarked to the compliance of the HIPAA Privacy and Security Rules plus the requirements for Breach Notification. The Covered Entities Audits will be followed by audits of the Business Associates to include EMR vendors, Cloud Service Providers, and other BAs in the HIPAA Chain of Trust continuum.
Although OCR has indicated that the first round of audits will be a review of policies and processes, additional on-site audits will be more comprehensive in nature and focus on a deep-dive of internal technology and other types of mitigating solutions in place to support risk prevention.
So what is a good rule of thumb for preparing for the OCR audit? First of all make the assumption that you will be part of the 200 plus and prepare a plan sooner than later.
The plan should be kept simple and kept to a few basic components:
- Review OCR’s audit protocol and be well versed on the HIPAA and HITECH regulations
- Review your documentation and insure you have the most recent HIPAA guidelines, policies, and procedures in place and the organization is well-educated relative to those documents
- Have a clear understanding on what OCR’s expectations/process is relative to providing your documentation to the auditors.
- Orchestrate a “mock” audit with all internal parties and simulate a real audit.
- Lastly, establish a communication chain within your organization to communicate events, timelines, tasks, status, etc.
For more on our conversation with Mr. Gillespie,
join us next month for Part 2 of our interview
or register today for our webinar,
Improving Operational Efficiencies in Healthcare Organizations
Wednesday, November 11, 2015 at 11AM