Feature Articles

ComplianceJunction HIPAA Training Receives SCCE Accreditation

Posted by Steve Alder

The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.

ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.

“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.

“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”

The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.

FREE WEBINAR on HHS OIG Exclusions: Learn from Leading Compliance Experts

Posted by Ian

The Complete Exclusion Screening Playbook: From Sanctions to Conflicts of Interest

On September 9, 2025, Compliancy Group is hosting a free webinar to discuss best practices for ensuring compliance with laws and regulations regarding exclusions and sanctions screening and monitoring in today’s rapidly evolving regulatory landscape.

Effective screening is essential before onboarding any individual or entity, and healthcare organizations must have policies and procedures in place for regular ongoing checks of individuals and entities prohibited from participating in state and federally funded programs, such as the HHS-OIG List of Excluded Individuals and Entities (LEIE). There are severe penalties for employing individuals who have been excluded from participating in federal healthcare programs, including heavy fines and potential exclusion.

At the webinar, leading Compliance Officer, James Maguire, will be joined by recognized sales and business development executive Tom Leahy for an advanced exploration of sophisticated screening frameworks that do far more than ensure compliance with basic regulatory requirements. During this executive-level discussion, attendees will learn about the complex intersection of sanctions compliance, exclusion monitoring, and organizational conflict management in a rapidly evolving regulatory landscape.

Webinar attendees will learn about:

  • Exclusions and sanction screening best practices
  • How to effectively establish and manage conflict‑of‑interest programs
  • Practical challenges faced by compliance officers
  • How new laws and trends are reshaping screening imperatives

WEBINAR DETAILS

The Complete Exclusion Screening Playbook: From Sanctions to Conflicts of Interest

Tuesday, September 9, 2025

ET:  1:00 PM – 2:00 PM |  CT: 12:00 PM – 1:00 PM | MT: 11:00 AM – 12:00 PM | PT: 10:00 AM – 11:00 AM

Speakers:

James Maguire, Chief Compliance and Privacy Officer, Atlas Healthcare Partners

Tom Leahy, SVP, Sales and Business Development, SureShield

Don’t let your organization be the next headline. Secure your place by completing the registration form on this page today, and add the date to your calendar.

James Maguire, Chief Compliance and Privacy Officer, Atlas Healthcare PartnersSpeaker: James Maguire, Chief Compliance and Privacy Officer, Atlas Healthcare Partners

James Maguire has a deep understanding of the healthcare industry and healthcare law from his current role as Chief Compliance and Privacy Officer at Atlas and as the former Director of Compliance at Aetna. He is responsible for creating an ethical culture focused on integrity and teamwork at Atlas, and leads the corporate ethics, compliance, and privacy programs.

While at Aetna, James promoted and enforced compliance with federal and state laws and regulations, and a range of company policies affecting multiple Aetna businesses, helping to achieve Aetna’s company objectives while maintaining the highest business standards.

 

Tom Leahy, SVP, Sales and Business Development, SureShield Speaker: Tom Leahy, SVP, Sales and Business Development, SureShield

Tom Leahy is a sales and business development executive with more than 35 years of sales and business leadership experience gained at several companies, from founding start-ups through strategic departure, with extensive experience in sales management, contracting, partnership, re-seller, and OEM sales distribution.

Tom has a successful track record within the software and services industry in compliance, security, and risk management, and is a recognized business development executive, introducing the first cloud-based healthcare analytic workflow tools in quality, patient safety monitoring, and pay-for-performance programs. Currently, Tom leads SureShield’s business development efforts.

The post FREE WEBINAR on HHS OIG Exclusions: Learn from Leading Compliance Experts appeared first on The HIPAA Journal.

HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17

Posted by Ian

Are you aware that investing in HIPAA compliance can actually result in increased revenue? Conversely, putting HIPAA compliance on the back burner can be detrimental to the organization.

The HIPAA compliance specialists, Compliancy Group, will be hosting a webinar to explain how investing in compliance can result in increased revenue.

Attendees will learn how and why investing time and money into HIPAA compliance can result in a positive year and will be provided with real-life examples of HIPAA-regulated entities that have invested time and money into their HIPAA compliance programs and have reaped the benefits.

Free Webinar Details

Thursday, August 17, 2023

11:00 a.m. PT ¦ 12:00 p.m. MT ¦ 1:00 pm CT ¦ 2:00 pm ET

Host: Compliancy Group

Speaker: Liam Degnan, Compliancy Group, Director of Strategic Initiatives

Please Use The Form On This Page To Sign Up

The post HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17 appeared first on HIPAA Journal.

What Are HIPAA Laws?

Posted by Ian

The main objective of HIPAA law is to protect the privacy of an individuals’ health information while at the same time permitting needed information to be disclosed for patient care and other purposes such as billing. This balance helps protect the rights of patients while ensuring smooth operation of the healthcare system.

HIPAA Law Checklist For HIPAA Law ComplianceHIPAA compliance laws set the standards for protecting sensitive patient data that healthcare providers, insurance companies, and other covered entities must adhere to. You can use our HIPAA Law Compliance Checklist to check your compliance requirements and avoid HIPAA violations.

What follows is an overview of the main components of HIPAA Law:

The HIPAA Law Privacy Rule

A key component of HIPAA compliance law is the Privacy Rule, which sets out national standards for when protected health information (PHI) may be used and disclosed.

PHI refers to any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This interpretation of PHI is broad and encompasses any part of a patient’s medical record or payment history.

Under the Privacy Rule, healthcare providers must implement necessary safeguards to protect the privacy of PHI. These safeguards are both physical (like locking filing cabinets) and technical (like password-protected electronic health records). Patients also have the right under the Privacy Rule to access, inspect, and obtain a copy of their PHI.

The HIPAA Law Security Rule

Another component of HIPAA compliance is the Security Rule. This rule applies specifically to electronic protected health information (ePHI), and covers the three types of security safeguards required: administrative, physical, and technical. These safeguards help to ensure that electronic patient data is secure from unauthorized access, loss, or damage.

Administrative safeguards focus on creating policies and procedures designed to clearly show how a Covered Entity must comply with HIPAA. Physical safeguards involve securing the physical facilities and equipment where data is stored and accessed. Technical safeguards refer to the technology and policy and procedures for its use that protect ePHI and control access to it.

HIPAA Privacy Officers

Under the HIPAA compliance laws, organizations are obligated to designate a privacy officer responsible for implementing and maintaining the policies. PHI access should be strictly limited on a “need-to-know” basis, thereby ensuring that only those who need this information to perform their job responsibilities can access it.

Who Is Subject To HIPAA?

The standards for electronic transactions which qualify an organization as a HIPAA-Covered Entity appears in CFR 45 Part 2. Generally, an organization is a HIPAA Covered Entity when it is:

  • A healthcare provider that conducts electronic transactions.
  • A health plan
  • A healthcare clearinghouse

Exceptions to this definition occur where an organization that does not qualify as a Covered Entity are somewhat involved in covered transactions.  For example, if they act as an intermediary between an employee, a healthcare provider, and a health plan.

Additionally, an organization that self-administers a health plan but has less than fifty participants is not considered to be a Covered Entity.

HIPAA Law For Business Associates

A vital aspect of compliance is the execution of Business Associate Agreements (BAAs) with any third-party vendors accessing PHI. These agreements set the standard for PHI use and disclosure by business associates, placing limits and conditions on their actions involving PHI.

Does HIPAA Apply To Employment Records?

One potentially confusing area of the Administrative Simplification Regulations relates to employment records, HIPAA law, and employers. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”

However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.” This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.

HIPAA Law Enforcement and Penalties

Enforcement of HIPAA regulations is managed by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). If an entity is found to be non-compliant with HIPAA, they can face hefty fines and penalties. Fines are tiered based on the entity’s knowledge and handling of the breach.

The HIPAA Safe Harbor Law, introduced in January 2021, takes into account existing security practices when determining HIPAA violation penalties. For instance, if an entity didn’t know and, by exercising reasonable diligence, wouldn’t have known of a violation, the penalty may be less severe. However, if a violation is due to willful neglect and not corrected, the penalty can be very significant.

Summary: HIPAA Compliance Laws

HIPAA compliance laws are an essential aspect of healthcare, ensuring the protection and secure handling of sensitive patient health information. By establishing a framework of compliance through its Privacy and Security Rules, HIPAA has become a linchpin of patient rights and privacy within the healthcare sector.

As healthcare professionals, understanding and adhering to HIPAA regulations is not just a legal obligation but also a commitment to maintaining the trust and confidence of the patients they serve. The adherence to HIPAA compliance laws forms a crucial part of any covered entity’s operational framework.

The post What Are HIPAA Laws? appeared first on HIPAA Journal.

Seven Elements Of A Compliance Program

Posted by HIPAA Journal

The Seven Elements HIPAA Compliance Software SolutionThe seven elements of a compliance program are integrated processes organizations can adopt to help develop a culture of compliance in the workplace; and, when applied effectively, the seven elements can also be used to streamline operational processes, optimize organizational performance, and reduce overall costs.

Because HIPAA compliance can be confusing, we have compiled this guide to the seven elements to make them relevant for HIPAA. Some compliance software solutions guide compliance officers through the seven elements as part of their set-up process.

Summary Of The Seven Elements

While the seven elements of a compliance program apply to all industries, they originated in the healthcare industry in the 1990s. This was in response to the growing level of healthcare fraud and abuse and an alleged “compliance disconnect” at the executive level in many hospitals and health systems.

These are the seven elements, which we outline in more detail below:

#1: Implement written policies, procedures, and standards of conduct.
#2: Designate a compliance officer and a compliance committee.
#3: Conduct effective training and education.
#4: Develop effective lines of communication.
#5: Conduct internal monitoring and auditing.
#6: Enforce standards through well-publicized disciplinary guidelines.
#7: Respond promptly to detected offenses and undertake corrective action.

The Seven Elements For Effective HIPAA Compliance

Despite being more than twenty-five years old – and not necessarily having been adopted to tackle the same issues – many organizations still use the seven elements in their original format.

The Background to the Seven Elements

In 1991, the Department of Health and Human Services (HHS) launched the Workgroup for Electronic Data Interchange (WEDI). WEDI had the objective of reducing administrative costs in the healthcare system by promoting electronic claims submission.

It achieved its objective by requiring insurance carriers to reimburse healthcare providers more quickly for electronic claims than for paper claims, thus encouraging providers to submit more claims electronically.

As a result, the percentage of claims submitted electronically over the next five years more than doubled – making it harder for adjudicators to identify fraud and abuse attributable to unbundling, duplication, and global service violations.

According to a Congressional Report published by the General Accounting Office in 1995, it was estimated that as much as 10 percent of national healthcare spending was attributable to waste, fraud, and abuse (around $98 billion at the time).

The following year, the long-running Caremark Derivative Litigation case concluded – a case in which it was claimed the company’s board of directors had failed in their fiduciary duty of care to ensure the company’s compliance program was enforced.

Although cleared of “lacking good faith in the exercise of monitoring duties or conscientiously permitting a known violation to occur”, the company settled multiple felony charges against it by paying $250 million in civil and criminal fines.

The relevance of this case is that Caremark’s primary operations were providing patient care and managed care services; and, although the company had implemented compliance policies to prevent breaches of Anti-Referral Payments Laws, a series of violations resulted in shareholders claiming the board of directors had failed to adequately enforce the policies and, as a result, exposed the company to regulatory fines.

This accusation was not lost on the HHS’ Office of Inspector General (OIG).

OIG Publishes First Model Compliance Plan

The year after the conclusion of the Caremark Derivative Litigation case, OIG published its first model compliance plan (62 FR 9435-9441). Although aimed at clinical laboratories, the model compliance plan consisted of seven “compliance plan elements” that subsequently evolved into “the seven fundamental elements of an effective compliance program” in later compliance plans for hospitals, home health agencies, hospices, and nursing facilities.

The primary objective of the plan is fairly transparent. In the preamble to each of the plans, OIG states “many providers and provider organizations have expressed an interest in better protecting their operations from fraud and abuse through the adoption of voluntary compliance programs.” The word “fraud” is repeated a further twenty-eight times in the compliance plan for hospitals (63 FR 8987) and the compliance plan for nursing facilities (65 FR 14289).

It is also noticeable that, from the second plan onward, each plan includes a footnote stating “recent case law suggests that the failure of a corporate Director to attempt in good faith to institute a compliance program in certain situations may be a breach of a Director’s fiduciary obligations” – referencing the Caremark Derivative Litigation case. Clearly, OIG wanted to send the message that, if a voluntary compliance plan was implemented, oversight of the plan was expected.

The biggest influence for the creation of the seven elements of a compliance program (fraud prevention) is sometimes overlooked. This is not necessarily a bad thing because – around the same time – the passage of HIPAA introduced fraud controls and transaction standards that made it harder for healthcare providers to defraud or abuse the system. However, the seven elements can be adapted for more positive purposes than preventing, detecting, and responding to fraud.

What are the Seven Elements of a Compliance Program?

The Seven Elements Of A Compliance ProgramSince the first appearance of the seven elements, some versions have been amended or extended to meet organizational or regulatory requirements.

For example, when the Affordable Care Act made a compliance program a requirement of Medicare participation for some healthcare providers (42 CFR §483.85), an element was added that prohibits organizations from delegating discretionary authority to individuals who “the organization knew, or should have known through the exercise of due diligence, had the propensity to engage in criminal, civil, and administrative violations of the Social Security Act.”

However, as mentioned in the introduction to this article, many organizations that have implemented a compliance plan voluntarily still use the seven elements of a compliance program in their original format.

Please use the form on this page to arrange to receive a free copy of the HIPAA Compliance Checklist to use with the seven elements of a compliance program.

#1 Implement written policies, procedures, and standards of conduct

The best HIPAA compliance softwareThe seven elements of a compliance program are often depicted as a linear “start-to-finish” program or as a wheel that starts revolving again when it is completed its first cycle. Neither depiction is entirely accurate, as the seven elements of a compliance program have to integrate with each other at all times to make the program work effectively and facilitate improvements to the program.

The first of the seven elements of a compliance program is a suitable example of why it is important to view a compliance program holistically because it calls for the development of standards (etc.) under the direction of a compliance officer. Yet organizations are not advised to designate a compliance office until element #2:

“Every compliance program should develop and distribute written compliance standards, procedures, and practices that guide the facility and the conduct of its employees throughout day-to-day operations. These policies and procedures should be developed under the direction and supervision of the compliance officer, the compliance committee, and operational managers.”

If you view the seven elements of a compliance program as a linear program, you could be confused when the second element instructs you to designate the compliance officer you need to complete the first element. You might also be confused if you view the compliance program as a wheel, because it means you will need to rotate the wheel counter clockwise from #2 to #1.

#2 Designate a compliance officer and compliance committee

The temptation with element #2 is to delegate the role of compliance officer and the membership of a compliance committee to members of the same HR, legal, or operations teams or department heads of these teams. This can be a mistake if (for example) the legal team does not understand the real-life challenges of compliance in the workplace.

While it is a good idea to head the compliance committee with a person of authority, it is beneficial to include personnel with public-facing roles (i.e., healthcare professionals) and a mixture of personnel from IT, security, and administration who can provide insights on which policies will work and which won’t without changes to working practices.

#3 Conduct effective training and education

Integrating training and education into a compliance program should not be difficult for most organizations in the healthcare industry, as the majority are required to comply with the HIPAA training requirements, while some are also required to provide annual compliance training as a condition of participation in the Medicare program.

Of significance, in the original seven elements of a compliance program, OIG notes that the continual retraining of personnel at all levels (emphasis added) is a significant element of an effective compliance training program. Along the same lines, OIG adds that adherence to the elements of the compliance program should be a factor in evaluating the performance of managers and supervisors.

#4 Develop effective lines of communication

The development of effective lines of communication is pivotal to the seven elements of a compliance program because effective lines of communication are necessary for members of the workforce to raise questions, report violations, and provide feedback on corrective action plans that may necessitate amendments to policies and procedures and further training.

Ideally the creation and maintenance of effective lines of communication between the compliance officer/committee and the workforce should include a hotline or anonymous reporting system to receive questions, reports, and feedback. Organizations should also adopt procedures to protect the anonymity of complainants and to protect whistle-blowers from retaliation.

#5 Conduct internal monitoring and auditing

This element of an effective compliance program provides an opportunity for executive officers to demonstrate oversight by requesting compliance reports and audits from the compliance officer. In healthcare environments, these reports and audits should be conducted regularly to comply with the HIPAA requirement for regular risk analyses and be available at all times for executive review.

If executive officers participate in this element, it also provides an opportunity to extend lines of communication “from the top to the bottom”. Although it is not always practical to have members of the workforce communicate directly with executive officers (and vice versa), the involvement of executive officers demonstrates a commitment to compliance throughout the entire organization.

#6 Enforce standards through well-publicized disciplinary guidelines

Most organizations distribute disciplinary guidelines at the point of training. Indeed, in the healthcare industry, the standards relating to training and sanctions are almost adjacent to the Administrative Requirements of the Privacy Rule – so it is rare that an explanation of the organization’s sanctions policy is not included in initial HIPAA training.

With regard to enforcing standards, it is important that sanctions are applied fairly. If one group of the workforce is sanctioned more often or more harshly than another group for no justifiable reason, executive officers need to find out why. While it may be the case that one manager is enforcing standards over-zealously, it may equally be the case that another manager is allowing the workforce to take shortcuts with compliance “to get the job done”.

#7 Respond promptly to detected offenses and undertake corrective action

When the seven elements of a compliance plan were originally published in the 1990s, this element focused almost entirely on detecting fraud, reporting it, and enforcing sanctions or implementing measures to prevent it from happening again. With fraud prevention being a less important objective of a compliance plan than it was twenty-five years ago, this element can be used to monitor the effectiveness of the compliance program and improve it where necessary.

For example, if an offense has occurred due to a loophole in a policy (element #1), a lack of training (#3), a communication failure (#4), or a monitoring issue (#5), the compliance officer (#2) can evaluate the existing policies, procedures, and standards, and adjust them as necessary (#7). If the offense has occurred due to the actions of a non-compliant member of the workforce, it may be necessary to increase the penalties in the sanctions policy (#6) to be more of a deterrent.

The Challenges and Benefits of Adopting a Compliance Plan

Software For Compliance OfficersAdopting the seven elements of a compliance plan can be challenging for an organization starting from scratch. It can be difficult to get leadership buy-in because compliance is not perceived as a revenue generator, it can be difficult to define compliance roles in a complex regulatory environment, and it can be difficult to pull everything together with limited resources.

In healthcare environments, these challenges are mitigated by the fact that many of the elements are – or should be – already in place. HIPAA-covered entities should have developed policies and procedures to comply with the Privacy Rule, have a training and sanctions program up and running, and have procedures for conducting internal audits and responding to data breaches.

All that needs to be done in many healthcare environments is for the compliance officer to bring together the seven elements of a compliance plan into one integrated plan. When managed effectively, the plan will help organizations develop a culture of compliance that can help to reduce costs (i.e., regulatory fines), enhance the organization’s operations (i.e., through improved communication), and advance the quality of healthcare.

This final benefit of adopting a compliance plan is one many organizations are only starting to realize as it has only recently been demonstrated that, when patients believe PHI will remain confidential, they tend to be more forthcoming about healthcare issues. This enables healthcare professionals to make better-informed diagnoses and prescribe more effective courses of treatment, which results in better patient outcomes, satisfaction scores, workplace morale, and staff retention.

Get Help Developing Your Compliance Plan

Multiple sources on the Internet offer help with developing a compliance plan. One of the best is the HHS’ Office of Inspector General compliance guidance web page which includes updated guidance on the seven elements of a compliance program in its General Compliance Program Guidance document.

However, if your organization is a multi-disciplined Covered Entity or Business Associate, and you need more granular help developing a compliance plan, it may be worthwhile reviewing our HIPAA compliance checklist.

Steve Alder, Editor-in-Chief, The HIPAA Journal

The post Seven Elements Of A Compliance Program appeared first on The HIPAA Journal.

AI in Healthcare

Posted by HIPAA Journal

The topic of AI in healthcare often gets mixed reactions. While some people are firm believers in the benefits of AI in healthcare and the considerable benefits to patients, others have concerns about the ethics of AI in healthcare and there is considerable apprehension about the use of AI in healthcare attributable to a lack of knowledge about AI. In this article, we will explain what artificial intelligence is, the benefits of AI in healthcare, and how concerns about the ethics of AI in healthcare need to be overcome. 

What is Artificial Intelligence (AI)?

One of the reasons why some people approach the topic of AI in healthcare with a degree of apprehension is that different sources offer different definitions of AI. It is also the case that some sources confuse AI with Machine Learning (ML), which strictly speaking is a subset of AI. To quote Microsoft’s definitions of the two terms: 

Artificial intelligence is the capability of a computer system to mimic human cognitive functions such as learning and problem-solving. Through AI, a computer system uses math and logic to simulate the reasoning that people use to learn from new information and make decisions.

Machine learning is an application of AI. It is the process of using mathematical models of data to help a computer learn without direct instruction. This enables a computer system to continue learning and improving on its own, based on experience.

Therefore, while AI and ML are closely connected, they are not the same. Generally, a computer system uses AI to think like a human and perform tasks on its own, whereas ML is how a computer system develops its intelligence. Importantly, many of the concerns related to AI in healthcare revolve around how computer systems develop Artificial Intelligence and their capabilities to learn and make decisions without human instruction.

How Computer Systems Develop Artificial Intelligence

There are many different standard and hybrid techniques that determine how computer systems develop Artificial Intelligence. Generally, most follow the same two-stage process:

Supervised Learning

Most new AI systems start with a supervised learning process in which labeled datasets with known outcomes are fed into a system to train an algorithm on how to classify data. The outcomes produced by the system are then weighted to match the previously known outcomes. Often, this stage is followed by “semi-supervised learning” in which labeled datasets guide the algorithm as it classifies unlabeled datasets and predicts outcomes for the unlabeled data.

Unsupervised Learning

In unsupervised learning, the trained algorithm has to detect underlying patterns and relationships in never-before-seen unlabeled data in order to produce accurate outcomes. With unsupervised learning, it is important to remember that the aim is to make sense of data in the context of a specific question. How the answer is determined will depend on how the algorithm has been trained and weighted during the supervised and semi-supervised stages.

While this explanation might fail to reassure those who are concerned or apprehensive about AI – because “answers” are dependent on how the algorithm has been trained, the quality of data used to train the algorithm, how the output is weighted, and what the question is that the algorithm is trying to answer – artificial intelligence has in fact been present in many areas of everyday life for several years. For example:

  • Most people have played a video game against an AI-driven computer
  • AI is used by the finance industry to detect potential credit card fraud
  • The security industry uses AI to monitor multiple clusters of CCTV systems 
  • Netflix “because you watched” recommendations are produced by AI
  • AI produces the routes recommended by Google Maps and other travel apps
  • Many email spam filters and antivirus software solutions are fine-tuned by AI

But, what about AI in healthcare? How is that being used, who is using it, and what are the benefits? Additionally, are concerns about the ethics of AI in healthcare justified; and, if so, what can be done to overcome the concerns? These questions are easier to answer with an understanding of what AI is and how computer systems develop artificial intelligence.

Examples of AI in Healthcare

AI in healthcare is an umbrella term for all the many different ML algorithms and other cognitive technologies that are used in the healthcare industry. Some algorithms are more advanced than others, most have been designed to answer specific questions, and – even when the specific question is the same – some have been trained or weighted differently from others.

Consequently, there are many examples of AI in healthcare from patient-orientated AI such as chatbots that can listen to a patient’s symptoms and health concerns, to pharma-orientated AI that can help bring life-saving treatments to market faster. Between either end of the healthcare spectrum, there are many more examples of AI in healthcare:

Medical Imaging

Using computer vision to identify health conditions in medical images is quickly becoming a primary use for AI-driven technology. More advanced algorithms can distinguish tumors from lesions and other diseases – resulting in more accurate diagnoses, faster administration of treatments, and better patient outcomes. 

Precision Medicine

Similarly, computer systems that have been trained on precision medicine can develop medicinal or behavioral regimes specifically tailored to each patient depending on their condition, metabolic profile, microbiome composition, diet, lifestyle, sleep patterns, and many more data points collected and analyzed over years.

Physician Guidance

While robots performing major surgeries may still be a science fiction fantasy, some AI technologies have been developed that can guide physicians during minimally invasive surgical procedures via automated workflows and decision support. Most often, these technologies are used in treating strokes and heart conditions and for endovascular procedures.

Detecting Patient Deterioration

In post-acute environments, healthcare providers dedicate a lot of resources to checking vital signs to identify postoperative adverse events. AI-enabled tools can help care teams by calculating early warning scores that detect patient deterioration due to events such as respiratory failure or cardiac arrest – thus enabling more rapid responses. 

Predictive Equipment Maintenance

As well as detecting patient deterioration, AI can be deployed to predict when medical equipment is in need of maintenance. Through remote sensing, AI can monitor the performance of medical hardware to proactively identify when it may need maintenance or replacement – reducing downtime, preventing avoidable interruptions to clinical practice, and mitigating patient delays.

Automated Resource Allocation

A major administrative challenge for large healthcare providers is patient flow and resource allocation. The failure to have the right resources in the right place at the right time puts patients at risk and increases unnecessary bed occupancy. However, using AI to identify patterns from real-time and historical data enables providers to optimize flow management efficiency.

Healthcare AI Companies 

Compiling a list of healthcare AI companies is difficult because companies face multiple challenges in developing AI solutions that demonstrate real-world performance, meet medical needs, and address regulatory requirements. Consequently, many start-ups fail to make an impact in the healthcare industry and redirect their talents elsewhere. Some of those currently making an impact include:

PathAI

PathAI was founded with the aim of developing AI technology that could reduce error rates in pathology. The company’s AISight pathology platform was developed, trained, and validated using more than fifteen million annotations, and PathAI is now in the process of developing diagnostic solutions for gastroenterologists, dermatologists, oncologists, urologists, and gynecologists.

Regard

Unlike patient-orientated AI which can help users identify the causes of symptoms, Regard is an end-to-end AI solution for physicians that analyzes and synthesizes patient data, recommends diagnoses, and automates note-taking. By mitigating the risk of misdiagnoses and tackling repetitive tasks, physicians have more time available to see more patients and maximize revenues.

Freenome

Freenome is one of a number of healthcare AI companies that combine computational biology and machine learning to support better cancer management through early detection and precision intervention. Freenome’s AI platform can be deployed at general screenings or used to detect signs of cancer in diagnostic and blood tests.

Beth Israel Lahey Health

The Beth Israel Deaconess Medical Center – also known as Harvard University’s teaching hospital – used 25,000 images of blood samples to develop an AI-enhanced microscope that can detect harmful bacteria such as staphylococcus and E. coli much faster than is possible using manual scanning. To date, the microscopes have achieved a 95% accuracy rate.

VirtuSense

VirtuSense uses AI sensors to track inpatients’ movements so that providers and caregivers can be notified of potential falls. The company’s product range includes VSTAlert, which can predict when a patient intends to stand up to alert care reams, and VST Balance, which employs AI and machine vision to analyze a person’s risk of falling within the next year.

Benefits of AI in Healthcare

The above examples of AI in healthcare and technologies developed by healthcare AI companies focus on the “in-house” benefits of AI in healthcare inasmuch as they help deliver accurate diagnoses and treatment plans, prevent adverse events and accidents, and improve patient flow management. Outside of hospital environments, there are many further benefits of AI in healthcare. 

From a patient’s perspective, AI technologies not only improve outcomes and help prevent adverse events in hospitals but can also enhance the remote patient experience. Advocates of AI in healthcare see AI as a way of providing convenient access to medical advice in the home, increasing patient engagement, and empowering patients to take more responsibility for their health and well-being.

Further benefits of AI in healthcare relate to how quickly pharmaceutical companies can bring new drugs to markets. Drug development processes can be significantly accelerated with AI technologies that quickly extract meaningful information from large datasets to predict harmful interactions with existing drugs, improve the quality of clinical trials, and reduce time to approval.

One recent example of the benefits of AI in healthcare is how AI was used during the COVID-19 pandemic to detect outbreaks, facilitate diagnoses, and accelerate gene sequencing. It is hoped that, as a tool for public health, AI can be used in the future to predict and track the spread of other infectious diseases by analyzing data from government, healthcare, and other sources.

Ethics of AI in Healthcare 

According to a survey conducted by Dataiku in 2020, concern about the ethics of AI in healthcare is the primary organizational challenge stalling the adoption of AI in healthcare environments. Although specific concerns differ by organization, the concerns can generally be categorized as informed consent to use data, safety and transparency, algorithmic fairness, and data privacy. 

These concerns are not unique to the United States nor to the healthcare industry. Governments and regulatory agencies across the world have struggled to resolve this challenge – with many implementing rules and regulations to govern how AI is used. In the United States, a patchwork of state and federal laws partially addresses the challenge, but many concerns remain.

To help support governments and regulatory agencies pass fair and consistent legislation, in 2021 the World Health Organization published guidance on the “Ethics and Governance of Artificial Intelligence for Health”. This comprehensive publication endorses six key ethical principles for consideration by governments, developers, companies, and society as a whole:

  • Protect human autonomy
  • Promote human well-being, safety, and the public interest 
  • Ensure transparency, explainability, and intelligibility
  • Foster responsibility and accountability
  • Ensure inclusiveness and equity
  • Promote AI that is responsive and sustainable

Although political influences have resulted in the United States AI strategy shifting towards a market-orientated approach, the National Defense Authorization Act 2021 instructed the National Institute of Standards and Technology (NIST) to develop a framework for trustworthy AI systems that establishes common definitions and characterizations for aspects of trustworthiness. 

With the exception of protecting human autonomy, the five remaining key ethical principles endorsed by the World Health Organization likely will be incorporated into the framework according to NIST’s latest report to Congress. If approved by Congress, the NIST AI standards could resolve many of the concerns about the ethics of AI in healthcare.

How NIST Standards Could Accelerate AI Adoption in Healthcare

In January 2021, a HITECH Act update came into effect – an amendment that gave the HHS’ Office for Civil Rights enforcement discretion when investigating data breaches if the breached organization could demonstrate twelve month’s continuous compliance with “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act” or a similar Act.

There is no evidence that HIPAA Covered Entities and Business Associates took their compliance obligations any more seriously after the enactment of the HITECH Act update, but it is noticeable that – despite a significant increase in the number of financial penalties issued by HHS’ Office for Civil Rights in the past two years – only four have been for violations of the Security Rule.

If there are amendments to the NIST Act to incorporate AI standards, and if a law is passed giving HHS’ Office for Civil Rights enforcement discretion when the standards are applied in healthcare organizations, this could accelerate AI adoption in healthcare as not only would it resolve many of the concerns about the ethics of AI in healthcare, it would also resolve the second highest challenge to the adoption of AI in healthcare (according to Dataiku) – the lack of regulatory guidance.

The Future of AI in Healthcare

The future of AI in healthcare is unclear if concerns about the ethics of AI in healthcare and the lack of regulatory guidance are allowed to continue. If the situation remains as it is, AI will continue to be incorporated into healthcare processes in piecemeal stages – which will continue to add value to healthcare operations and improve the patient experience but may result in inequalities that could make the wider adoption of AI in healthcare much more difficult in the future. 

Alternatively, and notwithstanding that AI technologies are improving and becoming more sophisticated all the time, federal agencies – including the HHS – could introduce temporary guidance on the use of AI until such time as effective standards are developed. This would give healthcare organizations more confidence to adopt AI technologies with benefits for patients, organizations, and public health in general.



The post AI in Healthcare appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Organizations

Posted by HIPAA Journal

One of the problems with developing legislation for the entire healthcare industry is rules must be written for organizations of different sizes, with vastly different business models, budgets, staffing levels, and capabilities. Rules need to be written that are sufficiently flexible to accommodate this variety and be appropriate for all organizations and their unique operating structures.

One of the challenges with developing HIPAA was to create rules that would correct inefficiencies and get the healthcare system working more harmoniously. They also needed to stand the test of time and be flexible enough to accommodate changes that could not be envisaged when the legislation was signed into law. When the Privacy and Security requirements were introduced, they needed to be specific enough to serve as a practical framework for healthcare organizations to follow yet be flexible enough to account for changes in technology and operating practices over time.

This was vital as the process of updating legislation is simply too slow to allow for regular changes to be made. The HHS needs to issue a request for information to find out what needs to change, process the feedback, then a notice of proposed rulemaking, review the comments on the proposed changes, pen the final rule, issue that rule, and provide sufficient time for healthcare organizations to comply with the changes. That process spans several years, yet working practices evolve and new technology is constantly being introduced.

The way that HIPAA needed to be written has naturally led to the legislation receiving a lot of criticism. HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages.

In this article – and the next two in the series – I will explain the benefits of HIPAA and how the proposed Privacy Rule changes will help to address some of the current pain points and should significantly improve HIPAA for healthcare organizations, their employees, patients and members. You can read about the benefits of HIPAA for healthcare professionals here.

How HIPAA has Benefited Healthcare Organizations

HIPAA was signed into law more than 25 years ago in 1996 before many current healthcare workers had even been born. For those in the industry old enough to remember, at that time there was a desperate need to improve efficiency in the healthcare industry, as a huge amount of time and effort was wasted on inefficient manual processes, the cost of which was driving up the cost of healthcare at an unsustainable level.

HIPAA improved efficiency by standardizing healthcare transactions across the industry, including requiring all healthcare organizations to use the same standard code sets and follow standard administrative practices. Not only did the standards introduced by the HIPAA Administrative Simplification Rules help to eliminate waste and reduce the administrative burden on healthcare organizations, they have also helped to improve patient safety by reducing the potential for medical errors by making it easier to match records with the right patients. Before the introduction of HIPAA, healthcare fraud was rife and was costing the healthcare industry around $7 billion a year. The standardization of healthcare transactions has helped to reduce significantly reduce fraud.

The introduction of the HIPAA Privacy, Security, and Breach Notification Rules brought many benefits to healthcare organizations, but also some of the biggest pain points for HIPAA-covered entities. These updates required considerable changes to working practices and came with a significant administrative burden. HIPAA set clear – and sometimes not so clear – rules on how health information can be used and disclosed, how health information must be handled, and the policies and procedures that need to be implemented to ensure the confidentiality, integrity, and availability of protected health information. The HIPAA Privacy Rule has empowered patients to take a much more active role in their healthcare, allowing them to check their medical records for errors and get any errors corrected, which has helped to reduce the risk of medical errors and improve patient outcomes, which naturally has many benefits for healthcare organizations. By having standard rules in place, patients have the same rights no matter where they obtain care, and the safeguards to ensure the confidentiality of health information have helped to build trust between patients and their healthcare providers.

The HIPAA Security Rule set standards for all covered entities to follow to ensure the confidentiality, integrity, and availability of electronic health information and helped healthcare providers successfully transition from paper records and charts to electronic health records and encouraged the adoption of new technologies for improving efficiency and the quality of care in a safe and secure way. The HIPAA Security Rule was not meant to be a comprehensive checklist of every security measure that should be considered or implemented, rather it is a set of minimum standards for security that must be achieved. By adopting those standards, healthcare organizations have prevented many data breaches and avoided the considerable costs of those breaches. Many of the data breaches now being reported are due to employee errors and non-compliance with the HIPAA Security Rule.

The HIPAA Breach Notification Rule provides important benefits to patients, but there are also benefits for healthcare organizations. Compliance with this aspect of HIPAA ensures transparency about unauthorized access and disclosures of protected health information and promptly notifying patients about data breaches – which are often out of the control of healthcare organizations –can improve trust in healthcare organizations and reduce the reputational damage caused by data breaches. Importantly, HIPAA lacks a private cause of action, which helps HIPAA-covered entities avoid the considerable legal costs of defending lawsuits from patients who believe their privacy has been violated.

How the Proposed Updates to the HIPAA Privacy Rule will Benefit Healthcare Organizations

While the HIPAA Rules lack specificity in certain areas and incorporate flexibilities to avoid the need for regular updates, updates to HIPAA are required to accommodate changes in working practices and advances in technology, and to correct the elements that are either not achieving the purpose they were intended to or are no longer important. There has also been considerable criticism over the years that HIPAA continues to place an unnecessary administrative burden on healthcare organizations. After issuing an RFI, OCR published a Notice of Proposed Rulemaking in 2021 to update the HIPAA Privacy Rule, mostly to strengthen individuals’ rights to access their own health information and to reduce the administrative burden on healthcare organizations.

These Privacy Rule changes should help to improve information sharing, which will make patient care coordination and case management easier, including the coordination and management of care through social and community services. The updates will also facilitate family and caregiver involvement in the care of individuals that are experiencing emergencies or health crises. The restrictions of HIPAA have been clear became clear throughout the opioid and COVID-19 public health emergencies. The update helps to address this by incorporating flexibilities to permit disclosures in emergencies and threatening circumstances. These updates will help healthcare providers deliver better care and improve patient outcomes.

The amount of paperwork involved in providing healthcare also needed to be addressed. Finally, some of the time-consuming tasks that healthcare organizations still need to perform manually are being eliminated, such as the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and retain copies of that documentation for 6 years.

Any update to HIPAA comes with a considerable workload initially but the benefits should be felt quickly. OCR believes the efficiencies introduced by the Privacy Rule changes will help to save $3.2 billion over five years, thus limiting the increase in the cost of healthcare. The Final Rule has yet to be published in the Federal Register, but that should finally happen in 2023.

Healthcare Organizations are Still Struggling with HIPAA Compliance After 26 Years

HIPAA has been in effect for 26 years, the Privacy and Security Rules for two decades, and the Omnibus Rule and Breach Notification Rules for 14 years, yet HIPAA compliance is still proving to be a challenge for many healthcare organizations.

One of the common complaints about HIPAA that makes compliance complicated is the frequent use of terms use as reasonable… exercise reasonable diligence, implement reasonable and appropriate policies and procedures, reduce risks and vulnerabilities to a reasonable and appropriate level. There are also ‘required’ and ‘addressable’ provisions, where addressable provisions are still required elements of compliance, in some form. These flexibilities are what make HIPAA workable for such a wide range of healthcare organizations and stay relevant, but they can present significant challenges for healthcare organizations, especially smaller practices that lack the staff and resources to devote to compliance.

One of the ways that many smaller healthcare organizations have simplified compliance and ensured all the i’s are dotted and t’s are crossed is by using HIPAA compliance software. These software solutions guide healthcare organizations through compliance with all aspects of the HIPAA Rules, eliminating the guesswork and making sure that no provisions are overlooked. The software can be used to achieve compliance and maintain the compliance program, prompting risk analyses, updates, and training, and ensuring compliance efforts are fully documented to ensure painless audits and investigations.

Security Rule compliance can be particularly challenging, as the Security Rule does not provide specifics about technologies that should be used to protect healthcare data. Many healthcare organizations have simplified compliance and gone above and beyond the requirements of HIPAA by adopting a cybersecurity framework. Frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HITRUST Cybersecurity Framework provide structure, transparency, and guidance for achieving compliance with HIPAA and other privacy and security regulations and provide clarity and consistency while reducing the burden of compliance.

In 2021, the HITECH Act received an update to encourage the adoption of recognized security practices such as those developed under section 405(d) of the Cybersecurity Act of 2015 and covered by these cybersecurity frameworks to improve cybersecurity across the healthcare industry. The update provides incentives in the form of reduced penalties and sanctions and shorter audits and investigations by OCR, which considers the adoption of recognized security practices as a mitigating factor when making determinations about HIPAA Security Rule violations and data breaches.

HIPAA is Only the First Step

The main benefits of HIPAA for healthcare organizations are improvements in efficiency through standardized working practices which eliminate waste, improve patient safety, and boost profits. HIPAA compliance fosters trust between providers and patients and health plans and their members and helps to improve patient outcomes, increase patient and client loyalty, and improve retention.

However, HIPAA is just a set of minimum standards for privacy and security, so HIPAA compliance can be viewed as only the first step. Adopting a cybersecurity framework and implementing recognized security practices will further strengthen an organization’s security posture, and thanks to the HITECH Act update, there is now an added incentive for doing this.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Organizations appeared first on HIPAA Journal.

Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment

Posted by HIPAA Journal

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to complete a risk assessment. The purpose of the risk assessment is to identify and evaluate all risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). An annual risk assessment is also required by MACRA/MIPS.

Only by conducting a risk assessment is it possible to identify all risks to ePHI, evaluate them, prioritize them, and then subject them to the risk management process. Despite the importance of this element of HIPAA compliance, it is one of the most commonly cited HIPAA violations by the HHS’ Office for Civil Rights in its enforcement activities and HIPAA audits.

The risk assessment should not be viewed as a HIPAA compliance checkbox item to avoid financial penalties. Conducting a comprehensive HIPAA risk assessment will identify vulnerabilities before they are found and exploited by threat actors. Completing an annual HIPAA risk assessment will help HIPAA-regulated entities prevent costly data breaches as well as avoid regulatory fines.

To help you complete your 2022 HIPAA risk assessment and ensure you are fully compliant, Compliancy Group is hosting a webinar that provides an overview of everything you need to know about completing your 2022 risk assessment. Previous webinars have already helped many HIPAA-regulated entities ensure compliance with this important HIPAA requirement.

The 2022 deadline is approaching so covered entities must conduct their HIPAA risk assessment by the end of the year. Due to popular demand and the importance of the subject matter, this webinar is now being run again in December.

Mark the date in your calendar and register for the webinar using the form below.

2022 Deadline Approaching Fast

How to Complete your 2022 HIPAA Risk Assessment

December 7th @ 2:00 pm ET ¦ 1:00 pm CT ¦ 12:00 pm MT ¦ 11:00 am PT

 

The post Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment appeared first on HIPAA Journal.

Reader Offer: Free Annual HIPAA Risk Assessment

Posted by HIPAA Journal

HIPAA Journal has partnered with The Compliancy Group to offer its readers a free annual HIPAA Risk Assessment.

 

 

Covered Entities like medical practices and Business Associates like IT providers are required conduct a HIPAA risk assessment by the 2003 HIPAA Security Rule (45 CFR § 164.308 – Security Management Process) and HITECH Act 2009.

The post Reader Offer: Free Annual HIPAA Risk Assessment appeared first on HIPAA Journal.