Lompat ke konten Lompat ke sidebar Lompat ke footer

You are the HIM Director in an acute care hospital setting. Your facility has purchased an electronic health record (EHR) system, and pressure is mounting to deploy this system as soon as possible by the chief information officer and chief of the medical staff (CMS)

You are the HIM Director in an acute care hospital setting. Your facility has purchased an electronic health record (EHR) system, and pressure is mounting to deploy this system as soon as possible by the chief information officer and chief of the medical staff (CMS). However, during a testing period, you and your team discover that the EHR system does not comply with applicable federal privacy and security standards. It is your recommendation to stop the deployment until these issues can be resolved; however, the CIO and CMS disagree.

Identify and evaluate available options

Answer:

As the HIM Director, you find yourself in a difficult situation. Pressure is mounting to deploy a new EHR system quickly, but during testing, your team identified critical security and privacy issues that make the system non-compliant with federal regulations.  Patient privacy and security are paramount, so here's how you can approach this challenge:

One option is to stand your ground and delay deployment. Explain the identified non-compliance issues to the CIO and CMS. Emphasize the potential consequences of a data breach, including hefty fines from the Department of Health and Human Services (HHS), a loss of patient trust, and reputational damage to the hospital. This approach prioritizes patient safety but may create friction with the CIO and CMS.  Be prepared to present a clear plan for addressing the compliance issues and a revised timeline for deployment.

Another option is a conditional deployment. Propose a phased approach where you use functionalities that meet compliance standards initially.  Work with the vendor to address the non-compliant areas on a fast track. This could involve implementing temporary security measures and collaborating with the vendor to develop a rapid remediation plan. This option allows some functionalities to be used while addressing compliance issues, but it requires ongoing vigilance, additional resources, and could lead to delays due to the increased complexity.

Finally,  consider seeking external expertise. Engaging a third-party HIPAA compliance consultant can provide an objective assessment, suggest solutions, and guide you on achieving and maintaining compliance. This approach offers expert advice and strengthens your position, but it comes with additional cost, and the consultant's recommendations might align with delaying deployment, potentially frustrating the CIO and CMS further.

The best course of action depends on the severity of the non-compliance issues and the hospital's risk tolerance. If the non-compliance issues expose patients to a significant risk of data breaches, prioritize delaying deployment and emphasize the legal and ethical implications. For moderate-risk issues, consider a conditional deployment with a clear plan for achieving full compliance. If the severity is unclear, involve a consultant to help define the risks and recommend the most appropriate course of action.

Regardless of the chosen option, effective communication is key. Present your findings and recommendations in a clear and concise manner, focusing on patient safety and using non-technical language to explain the risks to the CIO and CMS. Back up your arguments with data on HIPAA violations and industry best practices. Finally, express willingness to collaborate with the CIO and CMS to find a solution that balances both privacy and expediency.