Editor's Note: Part I of our three-part package takes a big-picture look at BPM in healthcare, while Part II focuses on BPM's role in helping eliminate paper records. Here, Part III examines BPM's role in helping healthcare organizations with ever-tougher regulatory compliance.
When it comes to helping healthcare providers comply with a maze of regulations designed to protect the security and confidentiality of patient records, BPM could be just what the doctor ordered.
Among the best-known and most stringent requirements are those contained in the Health Insurance Portability and Accountability Act (HIPAA), which, among things, requires healthcare organizations to implement the principle of least privilege.
In theory, the principle is straightforward: Access to personal health information (PHI) should be restricted as much as possible while still allowing for normal functioning. But implementing that approach can be particularly difficult in the healthcare universe given the complexity of medical IT systems and one big variable—the people who work in the field.
BPM AND HEALTHCARE: A GOOD MATCH
A healthcare organization's information-handling processes are well suited for BPM methodologies, particularly when the goal is to achieve and maintain HIPAA compliance. "How you gather information about a patient and put it into a system will affect [other users'] ability to use that information. How [they] use that information will have some effect on issues of compliance and efficiency," says Steven J. Spear, a senior fellow at the Institute for Healthcare Improvement and a senior lecturer at the MIT Sloan School of Management.
Medical IT systems can support HIPAA compliance efforts through technical access controls, but they still pose a risk to the privacy of PHI. "A system being complex means that when it's designed, something may be overlooked and a vulnerability is inadvertently built in," says Spear, whose most recent book is "The High Velocity Edge: How Market Leaders Leverage Operational Excellence to Beat the Competition" (McGraw-Hill, 2010). "Dynamically, even if it's perfect in the moment, change is occurring fast enough that the system is acquiring imperfections as time progresses," he continues. "How do you manage systems so that despite their complexity and dynamic nature, you ensure patient confidentiality doesn't get violated?"