HIPAA and HITECH acts – how they improved the US Health Systems and can be a case study of success for your CRM CMM journey.

Capability maturity modeling through the enforcement of HIPAA and HITECH acts – how they improved the US Health Systems and can be a case study of success for your CRM journey.

Evaluating your organization for its CRM maturity is a recurring requirement in the ever-changing world of data privacy, security and compliance requirements. Models from NIST, ISO, and even IEEE can be used to provide guidelines on how to review and determine where your company is on its CRM journey and where it should or could move from a maturity perspective.

But why undergo self-evaluation and measure your organization’s maturity regarding your CRM use or its data governance?

A lot of attention has been given to the care and governance of personal information in the last few years. Regulations like GDPR and CCPA now mandate the way you must treat information stored in CRM or risk being fined. It makes more than just good business sense to ensure CRM data and access is handled properly and only the right people have access to the right data. Still, we remain hesitant to evaluate our processes and systems for a number of business reasons. Perhaps a maturity assessment needs to be looked at from a different perspective.

If you haven’t been through an assessment, it may be hard for you to understand what a maturity assessment is or how it works. Studying the healthcare industry and the recent examples of its somewhat forced maturity can help shed light on the process.

HIPAA, HITECH, and the Healthcare Industry – a Case Study

The case study on how the health services industry in the US standardized, modernized, digitized, and eventually safeguarded patient records is a positive journey of maturity. It led to advances in medicine and to a much fairer system for everyone. Of course, it isn’t perfect yet, but it is improving and has been prolonging lives. Even today, it still strives for greater maturity by continuously adjusting to the needs of both patients and healthcare practitioners for better outcomes.

Going back as few as 20 years ago, most consumers gave little thought about whether their dentist or doctor knew their age, their ailments, or what medications they were on. The digital age was already upon us, but most practitioners weren’t using electronic records. On the one hand, problems arose when the lack of process and policy implementation allowed companies to apply biases against someone for insurance or hiring practices after being alerted about “private” personal information. On another hand, issues were also created as data wasn’t shared among practitioners in a timely manner, leading to over prescriptions, drug abuse, and too often, death. Even with these important issues, one of the most compelling reasons to regulate this data was simply to allow someone to be insured by another insuring body when they moved states or when they switched job or insurer.

Nowadays, few of us would object to sharing our medical records with other healthcare professionals to allow for continuous care, avoid an over prescription, or prevent mixing medications. We often don’t give a second thought about how hard it was to get to this seamless, yet secure, data-sharing process.

Based on differing laws from state to state and what was often contributing to a growing unfairness from large healthcare institutions and insurers, the Health Information Portability and Accountability Act (HIPAA) was signed into law in 1996. It primarily defined the required level of care and appropriate measures to protect health records while in the care of a hospital or caregiver, along with giving guidelines on how they must be stored and transferred to another healthcare provider. As a law, it also provided strict deadlines for healthcare providers to implement this processes or risk heavy fines or losing federal Medicare/Medicaid payments. HIPAA also made it possible for health coverage to be transferrable to other providers and gave guidelines for billing and fraud prevention and created a process to be followed when someone moved jobs or had a life event.

Certainly, before and even several years after 1996, most health care organizations were able to store and handle private health information on any number of systems. But most often, this information was stored in a proprietary database or managed in a unique way, rendering it unintelligible to another health agency. Information was hard to request and it would almost always have to be printed out and transported by courier, taking valuable days before arriving into a doctor’s hands and affecting lives. The handling of this information and the restricted nature of its contents helped promote an additional HIPAA Privacy Rule in 2003. This rule helped define what to consider Protected Health Information (PHI), which had to be kept private from information handlers and couriers, except with the expressed permission from authorized individuals. The patient themselves were now in control of their data and only they could request for it to be sent or disposed of.

Information was kept private and portable, yet it still couldn’t be efficiently stored or transported. The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) incentivized the use of electronic systems to manage patient health records and provided standards for to improve storage, transport, and privacy of records during transit to another provider. These new standards for Electronic Health Records also provided further incentives to facilitate the fair sharing of anonymous health-related information to governing bodies like the Department of Health and Disease Control – helping aggregate statistics.

This digital transformation wasn’t easy for many healthcare providers as many of the regulations required to modernize not only the patient health record systems, but also the infrastructure and security control systems to restrict access to all but authorized individuals and the patients themselves. Before HITECH, you were only required to restrict access to a terminal. With HITECH, you had to restrict access to entire networks from anyone unauthorized and especially hackers. Many hospitals could not afford to move quickly and numerous consolidations among healthcare centers needed to happen. HIPAA and HITECH regulations mandated not only primary healthcare centers to follow these rules, but also suppliers and providers – called “Business Associates” – to maintain these same standards and sign agreements. To enforce these changes to occur in a timely fashion, the Office for Civil Rights had to begin auditing and levying large fines to many hospitals and insurers who didn’t meet the deadlines.

With the digitization of this data, numerous rules around breach notifications were added. These mandate HIPAA-covered health entities to provide a method to notify all affected individuals if a breach of their personal data were to occur including providing alerts to the appropriate governing agency and the media. Although the penalties are very high, many health providers still succumb to audit failures and must remedy and pay fines or risk losing their license to perform any services.

This forced march through modernization and maturity has provided many positive outcomes for both the healthcare providers and the public they serve.

Digitization of health records and anonymized statistics has led to an unprecedented amount of access to real data by researchers and clinicians, which directly affected positive patient outcomes both locally and globally. Streamlining health information sharing has led to better collaboration between experts from all over the world and drastically reduced diagnosis times and patient stays, translating to real costs savings for both hospitals and patients.

As the health industry continues to modernize, we now see advances in telehealth and preventative treatments for diseases, avoiding epidemics spreading in other areas of the country and the world. Hospitals can compete for business and more effectively run regional public health initiatives based on both their own data and those from other demographic areas. Despite some obstacles, the results for the healthcare industry have been and continue to be positive.

The Capability Maturity Model applied to CRM and Data governance – a tool for your organization

Now there are many aspects from this case study that have similarities for organizations in industries who are initiating their use of a CRM system and need to learn to optimize how they use their CRM and its data. For a successful journey from the initial phase to full optimization of CRM, one must pass through several stages and reach specific objectives first.

Reviewing this case study, we can relate it to the Capability Maturity Model initially proposed for Software Engineering.

The Capability Material Model (CMM) was initially developed by the Carnegie Mellon University School of Software Engineering, but it can be applied to numerous business process improvement initiatives. The CMM includes five phases, each providing:

• a definition of what has already been achieved, and;
• a close review of the next stage with what you need to strive for to move “up”.

The five phases are Initial, Repeatable, Defined, Managed, and Optimizing.

In this article, we’ll define each in the context of CRM and its Data governance and we’ll use the example from the HIPAA healthcare case study.

INITIAL

Initial is a process that works for the individuals working in the business – people who have trivial knowledge of clients that allow them fill in service gaps. They are often forging ahead in a haphazard fashion, striving to meet the requirements of clients or for themselves, but this system is not repeatable nor easily taught to outsiders in a simple fashion. In this phase, you may have a CRM but your team isn’t using it in a consistent way to store client information. Most of your client data in CRM is simply a list of phone numbers or email addresses. CRM isn’t seen or considered a business accelerator but more of a nuisance by some individuals. Information keeps being logged in disparate systems or in people’s heads, making it impossible to govern this data.

In the case of the Healthcare industry, a good example of this phase would be how a small town and/or a busy doctor’s office was operating before HIPAA. There was probably the same lack of processes for a lot of hospitals which explains why staff members were so heavily relied on. No standards, lots of paper, and hardworking people trying to make a difference one patient at a time, learning from the last one.

REPEATABLE

In the repeatable phase, the concept of lifecycle management has been introduced and the processes for information re-use and sharing are implemented. Repeatable results are achieved from many client and staff engagements. Staff members feel more productive using CRM than they would using their own methods. CRM is now considered a tool, but not a business accelerator yet. For the most part, client data is consolidated into a central repository, but access to this information isn’t governed, as most people have rights to see all the information.

In the case of the Healthcare industry, this would have been similar to a hospital mandated to meet an upcoming HIPAA deadline for codification and implementation of the Electronic Signature standards rule. They would have begun the monumental task of digitizing records and implementing a system of unique identifiers for each patient and attending staff members, as well as a coding system for standard procedures. Hospital staff are now mandated to use the electronic hospital systems and feel a little more productive as they move from ward to ward with similar, coherent systems.

DEFINED

In the defined phase, there are now written procedures in place. Work is more efficient and predictable with standard outcomes from each process. There are training programs and cross training for backup. Each process is audited and corrections are made when irregularities are found. The CRM is an efficient source of truth for all client engagements and problems can be quickly rectified with little disruption to staff or clients. Roles have been formally established to govern who has access to which records within CRM. Hardened security restrictions have been placed over sensitive data with auditing and logging to ensure appropriate access is preserved.

In the Healthcare case study, this phase would be when providers have passed the first deadline to implement the Security Compliance Rules. The HITECH Act has come into effect, providing incentives to proliferate the use of electronic health records shared throughout all healthcare providers. This has also mandated the implementation of role-based security and encryption standards for information stored or transmitted to other healthcare providers.

MANAGED

In this phase, CRM processes and the data it contains are continuously measured to gain a deeper understanding of customer-facing operations. Key performance indicators are tracked and outcomes are compared to previous results. Goals for customer success are established and data helps point the direction the organization should take. A centralized change management process directs and performs all changes to access rights within the CRM with appropriate approvals from data owners and governors, while being tracked for a complete audit trail. Appropriate data cleansing and verification methods are in place to purge records after a prescribed time period or when no longer in use, as directed by a Data Controller.

To reference the healthcare case study, this is the phase where HITECH became enforceable and mandated the formulation of meaningful use of healthcare data. Data Owners (usually represented by a governing official of the Healthcare System) assumed responsibility for the Health Information and established processes to ensure proper handling and disposal of patient records when no longer required. Regional healthcare centers began providing anonymized data to Health Information Exchanges and patient outcomes are tracked in each state and major region. Goals for improved patient care and better rural healthcare are established to enable agencies like the National Center for Health Statistics to incorporate these health records into their massive databases. Hospitals begin to track positive outcomes and begin to use this data to establish goals to improve operational efficiency, reduce costs, and compete more effectively.

OPTIMIZING

The fifth (and last) phase, called optimizing, is an area to strive for but never perfectly achieved. Feedback loops from continuous measurement provide real-time data to optimize CRM interactions. Preventing client issues can be achieved through predictive analysis. Change management processes schedule and track improvements to modernize CRM systems and data management. The use of machine learning and AI algorithms run numerous simulations against the data to suggest inventive new ways to achieve better results from clients and pinpoint where future growth most likely is for the organization. Governance is fluid, always based on need-to-know from job requirements and revoked automatically when not being processed. CRM privileges are constantly evaluated and automatically adjusted, with irregularities in access being tracked and flagged for human intervention when they move outside of normal operating bounds.

This is where the analogy ends with the healthcare industry journey. The industry has made great attempts to optimize by leveraging predictive analysis against patient health records, but there is still more work to be done. Movement is slow as healthcare’s constant evolution, new legislations, and technology advancements must be carefully implemented and first trialed through data simulations.

Summary

These five phases of the maturity model – Initial, Repeatable, Defined, Managed, and Optimizing – help define where your organization is in its CRM maturity journey and the benefits to be realized by moving to the next level. CRM records are perhaps the most valuable assets any organization can hold without entirely owning them. Client information can be provided to any company at the discretion of the person who owns it – the client themselves. It behooves any organization to treat this data with the duty of care that is expected of them. If these processes aren’t already in place in your organization today, they should be a priority and evaluating your maturity is a great place to start.

As you saw in the Healthcare case study, the end can be positive and although it has been difficult for some healthcare providers to implement these changes and corrections, they need to be made. The end results have provided means to measure outcomes, help lay the groundwork for future improvements in healthcare, and ensure data is managed uniformly in all areas of healthcare.

Assessing where your organization is in its maturity for CRM and data governance is a continuous journey, where you realize its rewards mostly in its later phases. As it was for the healthcare industry, it won’t be easy or happen overnight, but the outcomes will enable the right things to happen for your company and your clients. To make the best use of this method, you must pass through each phase recognizing that the goal is only to reach the next level – you can’t skip levels and expect some things not to be overlooked. Organizations that use CRMs have an obligation to assess their processes to safeguard their clients’ data. Without undertaking an assessment, they are not able to answer inquiries or know how to adapt to meet regulatory requirements such as GDPR and CCPA. I would invite you to use the US Healthcare case study to help make the best case for your company and your team to complete this assessment.