Rules and regulations are an integral part of life, especially in the world of healthcare where you are dealing with very sensitive information and situations. Though it may not always be clear at first glance, rules and regulations are put in place to help protect people and make things as fair as possible. Where it gets tricky, however, is the span of time between when we implement our systems and when the rules and regulations were written and enacted. During that time span, technology has advanced, new ideas and plans have been created, and what we value may have shifted.
This can result in situations where you are trying to do something new that will be a great benefit to your organization, staff, and/or patients, but it’s extremely complicated to near impossible to do it while maintaining your compliance with current regulations. Or the complete opposite can happen to you. There can be situations where your organization has been functioning in a specific way for a while – only for new regulations to be written and/or old regulations to get updated in such a way that you are suddenly no longer in compliance. Currently, one such tricky area is health information management.
To learn more about this, we reached out to our brilliant Healthcare IT Today Community and asked them — what are the key challenges in maintaining compliance with regulatory standards, such as HIPAA, in the context of health information management? The following are their answers.
Bill Olsen, Co-Founder and CTO at UptimeHealth
The primary challenge in maintaining compliance with regulatory standards like HIPAA in health information management lies in data governance. Strict regulations govern the sharing of Protected Health Information (PHI) to safeguard patient privacy. However, these restrictions can conflict with the need to utilize this data in analytics and AI systems aimed at enhancing patient outcomes. Developing these systems often requires using real or closely approximated statistical data.
John Squeo, Senior Vice President & Market Head, Healthcare Providers at CitiusTech
Maintaining compliance with regulatory standards like HIPAA in health information management is challenging due to the ever-evolving nature of regulations and the increasing complexity of healthcare systems. Additionally, the culpability of health systems for third-party-caused breaches makes privacy assurance and digital security programs even more complex to implement and consistently execute. Furthermore, the growing volume of electronic health records and the need for interoperability between different systems can make it challenging to ensure compliance with all relevant regulations.
Brian Laberge, Solution Engineer, Health Language at Wolters Kluwer Health
Constant evolution to address new technologies that are brought into the healthcare workflow- such as AI-enabled tools that provide Clinical Decision Support to providers or patients or regulations for data sharing across stakeholders, makes it challenging to keep up with the regulatory standards. Further, there are state-specific variations in the laws which makes it challenging for technology vendors to provide solutions with state-specific variations and customizations based on the markets they serve.
All technology platforms aren’t created equal, and the influx of technology companies into healthcare offers an opportunity for risk if these new entrants aren’t taking the proper precautions to protect patient data. There are rules on the transparency of AI models (including HTI-1) and the data they are trained on as well as HIPAA requirements. Health information professionals need to ensure they have a solid data governance process and understand the models they are incorporating into processes to stay compliant. Technology also should have the necessary security certifications to ensure security and data privacy and can control who sees what only when they need to see it. Further, technology platforms should rely on the most current regulatory guidance (annual ICD-10 updates, HCC version model changes, etc.), and should have a process in place to keep track of these updates to ensure compliance.
Bridget O’Connor, Chief Operating Officer (COO) at Fortalice Solutions
The key challenge in maintaining compliance is always remembering that HIPAA compliance goes deeper than the surface level within the organization. It’s more than just completing your annual HIPAA assessment. The remediation items from the assessments need to be tracked through resolution and, in some cases, need to be re-tested or audited to ensure they’ve been addressed. Additionally, with third-party risk being one of the leading causes for breaches, ensure you have a robust Vendor Management Office and process to make sure your vendors (if applicable) are also compliant and ask them to attest to it.
Jason Griffin, MBA, CISM, Managing Director of Digital Health Strategy and Cybersecurity at Nordic Global Consulting
Compliance with regulatory standards like HIPAA presents several key challenges for health information management (HIM) professionals. One significant hurdle is the ever-evolving nature of technology and cybersecurity threats, which require constant vigilance and adaptation. As healthcare organizations increasingly adopt digital solutions and electronic health records (EHRs), the potential for data breaches and unauthorized access escalates. HIM professionals must implement robust security measures and stay informed about the latest regulations and best practices to mitigate risks. Ensuring that all staff are adequately trained in compliance requirements and security protocols further complicates the landscape, as ongoing education is essential to prevent costly violations. Another challenge in maintaining compliance arises from the complexity and diversity of healthcare environments.
Organizations often need help to integrate and standardize data across various systems and departments. Fragmentation can lead to inconsistencies in data handling and privacy measures, making it difficult to ensure the consistent compliance practices needed to meet HIPAA standards. Additionally, the need for collaboration among multiple stakeholders—including healthcare providers, IT personnel, and legal teams—can create communication barriers that hinder compliance efforts. Navigating these challenges requires a concerted effort from HIM professionals to foster a culture of compliance, ensuring that all aspects of health information management are aligned with regulatory standards while safeguarding patient privacy and data security.
Diana Sonbay-Benli, VP & Chief Product Officer, Cognizant TriZetto Healthcare Product at Cognizant
Maintaining compliance with regulatory standards like HIPAA is increasingly complex, especially as lesser-known aspects of HIPAA grow in significance. Further, compliance extends beyond HIPAA; health information management must navigate a broad range of federal and state-specific regulations. Meeting the demands of this wider regulatory scope is challenging, particularly as regulations constantly evolve and vary by jurisdiction. Organizations must also track regulatory changes impacting other stakeholders, such as providers monitoring payer regulations and vice versa. This is essential because new regulations can open strategic opportunities for data use and influence the timing of technological advances and adoption. The key challenge is staying agile—maintaining data integrity, security, and privacy—while balancing compliance with changing regulatory landscapes and capitalizing on new opportunities.
Susan Clark, Senior Director of Community & Advocacy at DirectTrust
Health information management (HIM) professionals face numerous challenges in maintaining compliance with evolving regulatory standards like HIPAA, particularly as new rules emerge. For instance, the recently finalized HIPAA Reproductive Rule introduces additional consents and attestations for law enforcement, creating complexity around what qualifies as reproductive data. HIM must also balance federal rules with state-specific legislation on data privacy, reproductive or gender-affirming care, and artificial intelligence.
The introduction of the Information Blocking Rule has expanded HIM’s role in data asset management, helping to define and track the flow of information. Yet another challenge is adapting consents to electronic environments, which could reduce the burden on both patients and staff. While some electronic consent systems show promise, standardization and widespread adoption remain limited. But there are many collaborative industry initiatives, including Sequoia Project’s Interoperability Matters Privacy & Consent Workgroup that are trying to create more uniform, compliant, and efficient workflows.
Ram Krishnan, CEO at Valant
Many practices rely on email for communication, but this presents substantial risks to HIPAA compliance. First, email addresses are often mistyped, which can result in dangerous disclosures of protected health information (PHI). Even if they reach their intended recipient, emails are often overlooked or misdirected to spam folders, and they are usually unencrypted. As a result, emails can more easily be intercepted by third parties than information conveyed through a secure web portal. This does not mean you should skip email entirely, but you can help ensure compliance by limiting the use of email to alerts and reminders that direct patients to a patient portal.
Effective EHR software with a fully integrated patient portal helps ensure HIPAA-compliant interactions and allows patients to manage their care in a secure and HIPAA-compliant way. This includes viewing and paying bills, managing appointments, and completing and e-signing forms. Mobile app functionality is another thing to consider, as many patients prefer to use mobile devices for these types of tasks.
Marlena Herrera, Director, Customer Success at Protegrity
The key challenge in maintaining compliance with regulatory standards in the context of health information management is that there are guidelines and requirements but often, there are no specifications on the requirements and how they need to be implemented to be considered compliant. This causes organizations to take an independent assessment of the regulatory standards which may vastly vary from one organization to another depending on their leadership, risk appetite, and maturity in technology and their approaches.
In addition, there are often new regulatory standards and requirements that may vary from state to state or emerge with new requirements based on governmental requirements that create challenges to adherence. Reviewing these requirements holistically and creating a strategic approach to meeting the requirements in alignment with organizational risk, leadership, and technical maturity often results in faster results with the ability to quickly adjust and meet new requirements.
What great answers! Huge thank you to Bill Olsen, Co-Founder and CTO at UptimeHealth, John Squeo, Senior Vice President & Market Head, Healthcare Providers at CitiusTech, Brian Laberge, Solution Engineer, Health Language at Wolters Kluwer Health, Bridget O’Connor, Chief Operating Officer (COO) at Fortalice Solutions, Jason Griffin, MBA, CISM, Managing Director of Digital Health Strategy and Cybersecurity at Nordic Global Consulting, Diana Sonbay-Benli, VP & Chief Product Officer, Cognizant TriZetto Healthcare Product at Cognizant, Susan Clark, Senior Director of Community & Advocacy at DirectTrust, Ram Krishnan, CEO at Valant, and Marlena Herrera, Director, Customer Success at Protegrity for taking the time out of your day to submit a quote to us! And thank you to all of you for taking the time out of your day to read this article! We could not do this without all of your support.
What do you think are the key challenges in maintaining compliance with regulatory standards, such as HIPAA, in the context of health information management? Let us know either in the comments down below or over on social media. We’d love to hear from all of you!
Get Fresh Healthcare & IT Stories Delivered Daily
Join thousands of your healthcare & HealthIT peers who subscribe to our daily newsletter.
