If any reader believes that the healthcare industry has not already been disrupted more in the last few years than it has in the previous fifty, with more disruption on the way, then you have simply been asleep at the wheel. Further, we have a news flash for you, it is no longer the government that is the most active agent in the disruption business, it's that scary (or holy, depending on your point of view) thing we call "the free market" that is driving the disruption.
In short, huge corporations are investing billions of dollars with the hope of reaping the benefits of disruption. Forget what is going in Washington D.C., it pales in comparison to the tsunami of change that billions of investment dollars creates when unleashed upon the marketplace. Adding to this, and in part fueling it, is the fact that in the age of the global Internet, patients will no longer tolerate the healthcare industry's Luddite stance regarding EHRs in particular and technology in general. You can kiss those "good 'ole days" goodbye, they are gone forever (RIP).
This is not an argument that all will be "sweetness and light" with respect to the challenges the industry faces, but rather a statement of the obvious: the healthcare industry status quo has exploded into a million and one pieces and it will never be the same again. Privacy and security concerns regarding protected health information("PHI") remain a mission critical component of healthcare's next iteration. The importance of privacy and security grows exponentially as the Nationwide Health Information Network ("NHIN") become more and more real with each passing day and as patients grow more accustomed to demanding access to their PHI.
What does that mean to you if you are responsible for your organization's HITECH / HIPAA compliance initiative? It means that what you have been doing for the last decade will surely be disrupted by all the technological change around you (e.g. mobile, clould, social media, etc.). Why? Because there is no way that the NHIN can survive without robust privacy and security governance baked in from the get go, and without a commitment from all market participants, which means you. Further, it is unlikely that the government is the entity to be feared the most, but rather the demands of the marketplace, and your organization's struggle for survival in the ecosystem.
The reality is that, for all intents and purposes, the old governance model was pure fiction, because HIPAA was largely a paper tiger (i.e. un-enforced legislation). The healthcare industry clearly understood that this was the case. Sure the industry paid lip service to the Privacy Rule, but that response can hardly be construed as a governance model. Therefore, the challenge that the industry now faces, across stakeholders of all sizes, is to invent a compliance gorcernance model from whole cloth, with all the cultural and organizational challenges associated with it.
Our basic premise is that any compliance initiative is a response to organizational risk. A governance model is an organizational risk management approach designed to mitigate the negative consequences of non-compliance. This is certainly the dominant view wherein compliance is perceived as a "necessary evil." Under this world view the risks associated with non-compliance must be contained. To the degree that the healthcare industry (en masse) adopted any HIPAA governance model, it almost certainly was based on the governance, risk management, and compliance model ("GRC").
Our view of GRC with respect to HITECH / HIPAA compliance is that it is necessary but not sufficient. Why? Because implicit in the GRC model, standing alone, is the hidden premise of "containment." However, despite our view that risk management will remain a critical component of any governance model, real compliance success can only be achieved by incorporating privacy and security as essential parts of an organization's value proposition (i.e. an essential component of the products and services a provider delivers to the marketplace) and therefore into its day-to-day operations.
Consider what security means to the online banking industry: is it simply something to be contained or an essential mission critical aspect of the service it delivers to the marketplace? The differences between the two approaches are like night and day. Security for online banking industry participants is a "bet the company organization-wide imperative," certainly not something "bolted on" after the fact. Our view is that the emerging healthcare marketplace will demand that privacy and security be an important part of a provider's value proposition and that in turn will drive the approach that the industry should take with respect to a compliance governance model.
In addition, although clearly small providers will not have the same governance model as the large hospitals, it is nonetheless important for all stakeholders to understand the distinction in approaches. Small providers are increasingly being aggregated into healthcare ecosystems of larger players. This trend will continue. The privacy and security imperative will become an industry imperative, driven as much from the inside as by external agents such as state and federal governments and patients.
Below we discuss some of the challenges the industry will face in Crossing the Chasm.
Culture: The healthcare industry has historically been insular and impervious to change. That is one of the reasons that the healthcare status quo has remained in place, despite the fact that enabling technologies (e.g. the Internet, mobile communications, etc.) had long since begun transforming other knowledge based industries. Now that the healthcare dam has burst, its ability to absorb so much change in a compressed timeframe is arguably its most daunting challenge.
There are no easy answers with respect to cultural transformation but we can suggest several resources that will enable you to begin framing the issue within your organization: Re-engineering Healthcare, Switch: How to Changes Things When Change is Hard, The Innovators Prescription: A Disruptive Solution for Health Care, and Redefining Health Care: Creating Value Based Competition on Results. First this list is clearly not exhaustive. Second, not all these books have to do with "culture" directly but they are all excellent resources regarding the change that it coming to healthcare and/or how to cope with change in general.
The takeaway here is our belief that healthcare's culture (en masse) will be transformed, because it is the only way that the industry can cope with the tsunami of change that now confronts it. Part of that cultural transformation must include a radically different world view with respect to privacy and security.
Design and processes: Compliance is a process and never a one time event. In fact our compliance continuum "build a good story" metaphor suggests that persistent iterations over time is the only practical methodology for achieving the objective of "full compliance" (an aspirational goal that may never be reached in fact). The compliance governance model you select must incorporate this iterative philosophy or you run the risk of having your compliance initiative being nothing more than "lipstick on a pig," dressed up for a time but remaining ugly nonetheless.
Decisions: The primary challenge for most organizations will be how to get started? Our products address this concern, but the immediate challenge (and decisions) that need to be made is who within the organization will be the privacy and security champions. Clearly without executive management support your compliance initiative is likely to be still born. However, assuming there is support, who is capable of driving the necessary change? Due to the well established healthcare "pecking order," our view is that a respected member of the clinical staff must assume the leadership role.
Participants: Who should participate in the compliance governance model? Everyone in your organization must participate in some way shape or form. Privacy and security must be an integral part of what your organization does or you risk absolute failure with respect to HITECH / HIPAA compliance, and certainly run the risk of being found in willful neglect.