As the gig economy continues to expand, healthcare organizations face electronic health information privacy and security concerns that can leave them facing HIPAA violation penalties.
As the malpractice insurance costs increase, the healthcare industry finds itself facing a significant dilemma. The current healthcare talent gap increases patient costs, decreases the quality of care, and places a financial burden on healthcare organizations.
To close this gap, more healthcare professionals and organizations embrace the “gig economy.” However, maintaining patient electronic health information (PHI) privacy and security in this gig economy leads to increased costs from HIPAA violations that undermine the reason for hiring temporary staff. To overcome this burden, the healthcare industry needs modern Identity Governance and Administration (IGA) solutions to support these new business operations.
What is the gig economy in healthcare?
The talent gap is expanding
According to research conducted in 2018, the healthcare industry not only struggles with a current talent gap, but the gap will continue to grow in the future. For higher-skill practitioners, role openings exceed available workers by 40%. To further complicate the situation, the research indicated that the field needs:
- 52,000 more physical therapists
- 43,000 more nurse practitioners
- 24,000 occupational therapists
- 23,000 physician assistants
These numbers are only the beginning. The healthcare industry’s talent gap is expected to expand over the next five to ten years.
Patients want more communication and more control over their health
Meanwhile, patients continue to adopt a consumer approach to healthcare that incorporates new technologies. According to one study, 19% of patients said the “most important” factor in choosing a physician was the use of technology. An additional 21% placed technology as the second most important factor in choosing their physician. Thus, 40% of patients consider a healthcare provider’s use of email communication, online scheduling, and mobile device use in the office a primary factor for making their consumer healthcare decisions.
Patients now expect their healthcare providers to communicate with them electronically. Unfortunately, healthcare’s talent deficit often leads to patients waiting for responses which translates into poor patient satisfaction and poor outcomes as patients move to different providers.
Temporary staffing enables healthcare organizations
To accommodate the skills gap and patient communications requirements, the healthcare industry has begun to embrace the gig economy. Healthcare professionals seeking flexible schedules or looking to make extra money become “traveling” practitioners. Healthcare organizations seek to minimize their inability to meet patient needs by hiring temporary practitioners to fill in gaps.
As the gig economy continues to expand, healthcare organizations face EHI privacy and security concerns that can leave them facing HIPAA violation penalties.
How does the gig economy impact HIPAA privacy compliance?
Under the HIPAA Privacy rule, healthcare organizations need to:
- Make reasonable efforts to use, disclose, and request the minimum amount of PHI necessary to accomplish the intended purpose of the use, disclosure, or request.
- Develop and implement policies and procedures to limit internal workforce member access to PHI based on roles and groups
- Determine reasonableness of covered entity requests to ensure they align with the HIPAA Privacy Rule
When working with freelance health professionals, the HIPAA Privacy Rule becomes overburdensome. Healthcare professionals require access to the organization’s systems and applications to provide appropriate patient care. However, contractors create risks by adding additional devices and identities to the ecosystem.
Major privacy risks caused by the healthcare gig economy
Although organization policies require contracted practitioners to undergo detailed background checks, people get curious. Employees – contracted or full-time – create a snooping risk when they have too much access to EHI. Contractors lack the formal connections to the healthcare organizations and create a greater risk since the organization may not be aware of their connections to other patients. A snooping contractor not only places the EHI at risk while working with the organization but can take it with them to other short-term employers.
Maintaining appropriate access controls
Practitioners need access to information that enables them to provide care, but they do not always need access to the full patient profile. For example, a physical therapist needs patient health information to help create a rehabilitation program, but she does not need patient medication, financial or health insurance information. However, as part of the rehabilitation plan, she may need to review medications for side-effects. After requesting additional access, the healthcare organization needs to ensure that she only accesses what she needs at the time she needs it. Thus, maintaining appropriate access controls can become overwhelming when attempting to limit information sharing to the minimum amount necessary.
Ensuring appropriate termination of access
Clinical workers join and leave organizations on a regular basis. Healthcare organizations need to ensure that they create the appropriate timebound access and enforce their rules.
Rejoining the organization
Often, healthcare organizations build relationships with their contracted workers. A hospital may need extra support from a physical therapist for a short, three month period that elapses. Later in the year they may need another short term contract with the same person. However, access the physical therapist previously had for a legitimate reason has expired. Simply resetting the old identity may lead to a privacy violation.
User access from personal devices
Organizations not only need to maintain Electronic Health Information (EHI) privacy on their own devices, but that privacy requirement extends to user-owned devices. Within the gig economy, personal devices are the way that users access important assets such as email and cloud-based applications. However, user devices are inherently risky ways of accessing data which place user authentication credentials at risk.
Multiple sites, one data source
Large healthcare organizations incorporate multiple locations. However, contractors only need access to information associated with the office in which they work. Ensuring least privilege necessary means limiting their access to only the information they need to provide healthcare, not all patient information for the organization.
Legacy solutions cannot meet the identity demands of the gig economy
The gig economy thrives on a dynamic, transient workforce. Thus, the current set of available solutions cannot meet the increased need for IGA programs that align with the changing workforce in conjunction with HIPAA privacy requirements.
Single-Sign-On creates access and authentication controls at the organization’s highest level, its entrance. SSO does not help protect user access once the individual is inside the organization’s systems. While it acts as a preventive solution, it cannot secure all systems and data.
Legacy solutions enable high level, or coarse-grained, access controls. They often only provide access protection at the application level. For example, the traveling practitioner cannot obtain payroll information but can access the entire patient database. As such, the practitioner may maliciously or accidentally obtain information about a patient in a different location or gain access to too much information about a patient.
The healthcare workforce needs modern IGA solutions
As the modern healthcare workforce evolves, so much its IGA solutions. The workforce no longer consists of static employees committed to a healthcare organization. The modern workforce – whether driven by cost or skills – is a dynamic workforce. As such, healthcare organizations need modern, dynamic, intelligent solutions that can adapt to the shifting healthcare landscape.
Intelligent risk analysis
Intelligent risk analysis means developing a full portrait of the user’s risk profile by incorporating access analytics, usage analytics, individual user activity, and inherent user risk. By aligning data and user access across the enterprise, healthcare organizations can create detailed user roles and groups that allow them to manage user identity, data classification, device, and location.
By analyzing user activity with filters such as type, role, permissions, data accessed, and functionality performed, IT departments gain visibility into interactions with patient data, i.e., who’s accessing which systems at what time, and why.
HIPAA requires that healthcare organizations define and implement controls to maintain continuous compliance for organizations. To move from compliance to intelligent compliance, companies need solutions that provide a depth and breadth of integration that map across industry domains and applications while aligning with compliance requirements, including but not limited to SOX, PCI, NIST, and HIPAA/HITRUST.
Privacy focuses on data access protections. Intelligent privacy means organizations classify data and continuously monitor for anomalous activities such as use and requests. Accidental unauthorized data access arising from a failure to properly govern identities still violates the HIPAA Privacy requirements.
Intelligent identity, smarter security and privacy
As the talent gap in healthcare continues to expand, the industry needs to focus on maintaining patient privacy while providing needed care. Finding a dynamic, modern solution means embracing new technologies for managing EHR and people.
Diana Volere, Chief Evangelist at Saviynt