Tackling increased compliance concerns in healthcare and education

Jan. 6, 2015
Evolving regulatory landscape makes streamlining of security and safety data essential

In both the healthcare and education verticals, compliance is a major area of responsibility. In addition to the existing regulations which are constantly evolving, new regulations are being added on an ongoing basis - both of which can make compliance a challenge. At the same time, it is important for institutions in both industries to track certain metrics for billing, safety, security, accreditation, and other functions – all while maintaining individuals’ privacy and confidentiality.

While the specific requirements for the two verticals may differ, the greatest compliance challenges for both healthcare and education lie in three areas: privacy, accreditation, and safety. The following are details of these three areas for each industry, as well as policies, procedures, and best practices that can assist with maintaining compliance.


Privacy is of utmost concern in healthcare, thanks largely to provisions contained in the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA. The act’s Privacy Rule provides protections for individually identifiable health information that is held by hospitals and other healthcare entities. While patients have a variety of rights with respect to their information, the Privacy Rule is somewhat balanced in that it allows health information to be disclosed when needed for patient care.

Physical records could potentially be kept under lock and key, but this would create roadblocks to patient care. For this reason, the Affordable Care Act of 2010 (ACA) mandates that hospitals implement electronic medical records (ERM), the goal of which is to streamline and improve patient care by making it easier for doctors in different facilities to access patients’ health histories as needed. While this improves quality of care, it also introduces another complication to maintaining the privacy of these records. HIPAA’s Security Rule describes who is covered by HIPAA privacy protections and specifies the administrative, physical, and technical safeguards that must be in place to ensure the confidentiality, integrity, and availability of protected electronic health information.

Healthcare facilities are also governed by the Health Information Technology Act (HITECH), which empowers the U.S. Department of Health and Human Services to establish programs to improve healthcare quality, safety, and efficiency by promoting IT solutions, including electronic health records and private and secure electronic health information exchange.

In addition to requiring ERM, the ACA also levies penalties against hospitals that experience too many patient readmissions that occur as a result of complications related to previous treatment received at the facility. These penalties can be severe, which makes it crucial for healthcare institutions to not only improve the standard of care they provide but also to proactively track readmissions. By correlating these instances with the care a patient received during a previous admission, hospitals can identify potential areas of concern that may be contributing to readmissions. Once these potential causes have been pinpointed, they can be addressed and may contribute to a higher standard of care and reduced rate of readmission. When institutions identify and address issues proactively, they can also avoid stiff penalties afforded under the ACA.


Privacy in education is covered mainly by the Family Educational Rights and Privacy Act (FERPA). With some specific exceptions, FERPA applies to all educational agencies and institutions that receive funding under any U.S. Department of Education program. FERPA generally prohibits the improper disclosure of personally identifiable information derived from education records without written consent from the student or his or her parents. The penalty for non-compliance can be severe - potential forfeit of federal funding. This gives institutions a major incentive to maintain compliance. There are also a number of state or provincial laws and regulations in place to ensure privacy.

While privacy is a main concern for educational institutions, safety and security have risen to the top of the list, mainly in light of the number of high-profile incidents that have occurred at schools across the country. Institutions at all levels are now subject to a variety of federal, state, and local requirements designed to improve safety and security for students and staff through the implementation of specific policies and procedures.

One of the most notable pieces of legislation that affects higher education facilities is the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics (Cleary Act), a federal law that requires colleges and universities to disclose information about crime on or near their campuses. The Clery Act also requires prompt emergency notifications about certain crimes or incidents to students, employees, and other members of the school community, and to implement standard operating procedures that guide staff in meeting the law’s requirements while handling emergencies or reports of missing students. Finally, the Clery Act holds institutions responsible for providing adequate safety and security. Non-compliance could result in loss of federal funding and possible civil penalties. A university that has developed a reputation for poor safety could conceivably see enrollment dwindle, taking revenues along with it.


Both healthcare and education institutions must deal with a flood of information coming from a wide variety of sources. Maintaining privacy and security means this information must be collected, analyzed, managed, stored, and reported – and each of these tasks can be daunting on its own. As regulations evolve and new rules are introduced, it’s no longer realistic to expect that these tasks can be adequately performed manually. Those institutions who choose to continue down this road will quickly find themselves struggling just to tread water in a sea of information. Attempting to organize and manage all this data in Excel spreadsheets or filing cabinets can be a full-time job. As a result, maintaining and demonstrating regulatory compliance would require additional time and staff, which translates into layers of additional expenses for an organization. At the same time, one human error could completely undermine the integrity of the information and jeopardize organizations’ compliance.

Given all the challenges associated with these processes, how can healthcare and educational institutions best ensure compliance with their industry’s particular requirements and regulations?

There are solutions available that automate processes to streamline data collection and reporting for these vast amounts of data. These advanced incident management solutions are capable of automatically gathering multiple types of data from a wide range of sources—which may include parking tickets, HR records, staff complaints, police reports, and more—into a central repository.

Users can tap into this data repository to customize the way information is measured and reported, and can also conduct separate analysis and reporting for different purposes using the same data sets without affecting the raw data itself. This allows institutions to flag specific types of data for analysis and reporting according to its needs, whether it is in compliance with particular regulations or institutional standards. By having this information available, schools and hospitals can look at trends and analysis to improve privacy, safety, and security. As regulations change or are introduced, the system can easily be updated to ensure continued compliance.

Both healthcare and educational institutions must regularly achieve accreditation with their governing bodies, such as the U.S. Joint Commission, Accreditation Canada, or state boards, to remain in operation. Compliance with regulatory mandates is an essential ingredient for achieving accreditation, and documentation is required. While governing bodies do not necessarily require an electronic system, having such a system in place can make meeting mandatory requirements significantly easier.

These solutions are designed with privacy in mind, with collection of data limited only to that which is relevant to specific systems, which are accessible only by certain individuals or departments. For example, the information contained in a hospital’s billing department is much more limited than what would be found in the system used by physicians for patient care. A department can request access to additional information, provided there is a clearly stated need for that information.

From a security standpoint, when data is managed in this way, it becomes valuable intelligence that can be used to address risk prevention and protection. Statistics that could take days or weeks to prepare using conventional database queries are available easily, as all the formulas and queries are built into the software. From this information, indicators can be identified that may suggest problems with a security program. Root causes of incidents can be identified rather than the symptoms, thereby allowing incidents to be prevented before they occur. The faster information is available, the faster measures can be taken to address risks and minimize incidents.

So while collecting, managing and analyzing data to generate reports necessary to demonstrate compliance is a significant undertaking, there are ways to make it both easier and more accurate. By taking advantage of solutions that automate and streamline these processes, institutions can ensure compliance, retain funding required to remain in operation, and increase the safety and security of their facilities.

About the Author

Brian McIlravey | Chief Operating Officer, RightCrowd

Brian McIlravey is the Chief Operating Officer of RightCrowd. Over the last 30 years, Brian has been a frequent speaker at security industry events and has served on many panels and group presentations. He is a former executive member of the ASIS ITSC, the Physical Security Council, and member of the original ESRM Board. He currently sits on three security industry company advisory boards, all security technology companies around the world.