BPM plays a critical role in healthcare compliance

Editor's Note: Part I of our three-part package takes a big-picture look at BPM in healthcare, while Part II focuses on BPM's role in helping eliminate paper records. Here, Part III examines BPM's role in helping healthcare organizations with ever-tougher regulatory compliance.

When it comes to helping healthcare providers comply with a maze of regulations designed to protect the security and confidentiality of patient records, BPM could be just what the doctor ordered.

Among the best-known and most stringent requirements are those contained in the Health Insurance Portability and Accountability Act (HIPAA), which, among things, requires healthcare organizations to implement the principle of least privilege.

In theory, the principle is straightforward: Access to personal health information (PHI) should be restricted as much as possible while still allowing for normal functioning. But implementing that approach can be particularly difficult in the healthcare universe given the complexity of medical IT systems and one big variable-the people who work in the field.


A healthcare organization's information-handling processes are well suited for BPM methodologies, particularly when the goal is to achieve and maintain HIPAA compliance. "How you gather information about a patient and put it into a system will affect [other users'] ability to use that information. How [they] use that information will have some effect on issues of compliance and efficiency," says Steven J. Spear, a senior fellow at the Institute for Healthcare Improvement and a senior lecturer at the MIT Sloan School of Management. This is similar insurance system that used widely on top payday loan websites and there are ways to avoid charges as described in this article.

Medical IT systems can support HIPAA compliance efforts through technical access controls, but they still pose a risk to the privacy of PHI. "A system being complex means that when it's designed, something may be overlooked and a vulnerability is inadvertently built in," says Spear, whose most recent book is "The High Velocity Edge: How Market Leaders Leverage Operational Excellence to Beat the Competition" (McGraw-Hill, 2010). "Dynamically, even if it's perfect in the moment, change is occurring fast enough that the system is acquiring imperfections as time progresses," he continues. "How do you manage systems so that despite their complexity and dynamic nature, you ensure patient confidentiality doesn't get violated?"

Systems can be developed in ways that limit complexity, Spear says. Rather than adding functionality to a flat hierarchy of design, additional development efforts can be compartmentalized so that they can be viewed separately but also understood in terms of how they relate to each other.

But even a simple system will experience a constant flow of evolving demands, and, at some point, it won't operate as expected. "The folks who are very successful with complex systems are not only very deliberate in how they design them, they also [know they may] see things that are contrary to what is expected," Spear says. This is similar insurance system that used widely on top payday loan websites and there are ways to avoid charges as described in this article. "It's better to see it sooner than later so that they can come to an understanding of the problem and act on that understanding."

Abnormal system behavior can indicate some sort of vulnerability and, if ignored long enough, that vulnerability could mushroom into a serious problem. Of course, that's true for any IT system, but the risk is amplified in healthcare organizations, where IT typically isn't core to the average user's work. "There is less discipline [around information processing] in the healthcare setting than in industries where processing information is what they do to generate value," Spear says.


It's important for healthcare organizations to establish how information is processed within a system - that is, how it is transmitted, stored and so forth and clearly communicate to users how the system should operate. Healthcare organizations in particular should have a low tolerance for abnormal system behavior. They should provide users with a way to quickly report problems whenever systems don't operate as expected. Spear calls this "preventative care for business processes," adding: "This puts a lot of pressure on IT to respond to a lot of little things, but by responding to a lot of little things, you avoid the big things. You end up with a lot of aberration, but you're not dealing with a catastrophe."

In addition, he says, one employee should be designated as "owner" for each system; that person can help report abnormalities or problems as they arise.

Just as important as being sensitive to unexpected system behavior is the need recognize when processes aren't doing anything to help achieve HIPAA compliance or meet other critical goals.

"Healthcare organizations need the ability to look at a process, recognize that they didn't anticipate a variable and have the flexibility to make a change to the process," says Christine Leyden, chief accreditation officer of the health care accreditation and education organization URAC (previously called the "Utilization Review Accreditation Commission," the organization is now known simply by its acronym). And there are plenty of variables, given the extent of human involvement in a variety of roles: resident healthcare personnel, patients and family members, representatives from other healthcare organizations who may need access to PHI.

"The biggest challenge is to think beyond the inner walls of where the care is provided and to think about how that information is going out to the community," Leyden says. All key stakeholders involved in information processing should understand the information-sharing guidelines so that they're better equipped to make informed decisions. And, Leyden reiterates, they need the flexibility and empowerment to determine whether they need to make changes to the process.


Recognizing the need to make changes isn't always enough. A feedback system must fit naturally within the users' workflow. Spear recalls the case of a healthcare organization that asked personnel to log inconveniences that could impede patient safety. For example, if a nurse had difficulty finding medication during a slow time of day, then chances are the task could be even more difficult during busy periods or when the medicine was needed in a hurry. However, the process for reporting such a problem took 10-15 minutes. "To ask a nurse to spend 10 minutes logging an inconvenience actually magnifies that inconvenience," Spear notes.

Steve Krueger, owner of MAK and Associates, a quality and regulatory consulting agency, agrees on the need for an employee-feedback channel. Change-management tools and metrics can help health care organizations determine what's actually happening during process execution and whether desired goals are being achieved. "Successful companies will have procedures in place to not only meet [HIPAA] requirements, but to improve the processes for doing so."

READER FEEDBACK: Do you work in the healthcare industry and have something to share about your BPM initiative? If so, ebizQ editors would like to hear about your experience. Contact Site Editor Anne Stuart at editor@ebizq.net.

About the Author

Crystal Bedell is an award-winning freelance writer who specializes in covering technology. Contact her at cbedell[at]bedellcommunications.com.

More by Crystal Bedell, ebizQ Contributor