Friday, December 30, 2011

UNINTENDED CONSEQUENCES (Lessons Learned when Poor Process Management Leads to a Serious HIPAA Violation)

A panicked former client contacted me late last week to solicit my advice on a recent technology system implementation "train wreck" that occurred during the week of the Thanksgiving holiday -- (thankfully, VeNí Consulting was not involved!)  As the result of an unfortunate series of events, a serious HIPAA privacy violation had been committed and his organization was currently under investigation.  For those of you not familiar with the specific consumer rights covered by HIPAA (and I think its extremely important to understand the laws governing OUR personal information during this age of increased information sharing and its security implications), it is the Health Information Portability Accountability Act, a Federal law that provides protections for personal health information held by covered entities and it gives patients (i.e., you and me) with an array of rights with respect to their information.  Specifically, there are two rules:
  1. Privacy Rule:  A Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information.  It applies to all forms of individuals' protected health information, whether electronic, written, or oral.
  2. Security Rule:  A Federal law that protects health information in electronic form, and requires entities covered by HIPAA to ensure that electronic protected health information is secure.
It was the Security Rule violated in my client's case, but let me provide you with a little more background to his story.  His company (a leading Health Care technology provider) is currently in the painful "throes" of a very complex, poorly planned and poorly managed post merger integration initiative (there is SO much to say on this point, that I will reserve my opinions for a future "Mergers Gone Bad" blog entry).  Well, adding to this "recipe for disaster" is a culture of general apathy for business process rigor including, but not limited to, limited formal process and standard operating procedural documentation, and where documentation exists, there are no clear consequences when established processes and procedures are not properly followed (i.e., managing non-compliance).  Sadly, senior executives contribute this culture of apathy by strongly encouraging staff members to usurp critical business processes when attempting to "shave off some time" when running toward a looming project deadline (painful symptoms of poor upstream planning upstream and a major cause of quality problems resulting in dissatisfied customers).

In my client's unfortunate incident, several organizational risks lurked in the shadows awaiting the perfect opportunity to POUNCE!  After several years of painstakingly developing, documenting and managing the end-to-end business processes implemented in his organization (including a disciplined approach to tracking their performance based upon internal and external customer requirements -- very impressive), he received an "eleventh hour" request (a.k.a. "red-hot emergency") from a distraught and ill-prepared Product Implementation Manager, who sneakily carbon copied several senior executives (a common CYA tactic exercised by individuals with a track record of poor planning, missed deadlines, cost overruns, product defects, customer complaints, etc.).

This services and materials requested were actually the responsibility of the Implementation Team, but due to the extreme time constraint, additional esources were being recruited in a desperate attempt to meet the looming deadline.  Oh, did I mention this all happened on the day BEFORE the customer system was scheduled to "go live" which also happen to be the first day of the Thanksgiving holiday week (INSANE).  For those of us who have spent any time working in a corporate office, we ALL know the buildings become "ghost towns" during the weeks containing the Thanksgiving and Christmas holidays due to employees taking vacation time at the end of the year.

Needless to say, the bad timing posed an obvious resource constraint for all parties involved and certainly did not provide the remaining with the required amount of lead time to effectively perform the tasks requested and deliver quality outputs (and lead requirements were clearly spelled out in the publicly distributed business process documentation provided by my client's organization).

CONSEQUENTLY, my client took the prudent and wise action of PUSHING BACK, noting his concerns associated with:  1) the amount of risk induced by the poor and late timing of the request, 2) a severe lack of resource availability due to the pending holiday, and 3) an obviously poor project planning effort performed by the Implementation Manager, and if this emergency was allowed to occur, what else has been overlooked?  Well, much to his chagrin, his phone rang and it was one of the senior executives who had been copied on the lengthy email exchange (BTW... Try to avoid lengthy email exchanges, particularly with several senior executives carbon copied.  It never ends well).  I digress... Said Senior Executive referenced my client's reputation as "the person you go to get things done" and his very successful track record of consistently delivering high quality and value-added services (clearly a positive result of the business processes he enforces and has to defend daily).

Well... I wish I could say my client stood his ground.  However, we certainly all have our vulnerabilities, weakness, soft-spots... For some it is Hersey's dark chocolate kisses, for others it is being called upon to play "Super Hero" and save the company from eminent destruction!!!  Unfortunately, after too many years of seeing these  scenarios play out in organizations, there is rarely a winner (even the Executive loses over time).  Typically, the "Super Hero" is set up for failure due to unrealistic expectations, timeline and limited resources.  If, due to extraordinary measures, the designated Super Hero "adverts the disaster" or "extinguishes the fire" a very dangerous precedence is set giving team members a false sense of security that if another emergency arises, there are Super Heroes on the organization that can be called upon to "save the day."  Over time, it results in a culture of "firefighter" employees who passively await the "burning platforms" to motivate them into action, instead of focusing on the measures necessary for "fire prevention."

So, the "call to arms" issued from the senior executive proved to be my client's "kryptonite" and he was now perilously taking on the enormous amount of "risk" being thrown over the wall by that very crafty Product Implementation Manager (who I'm sure knew actually what they were doing).

Well, as you know from the opening of this blog entry, this story does not have happy ending... The misdirected pressure/confidence sadly aimed at my client's organization who had a well-deserved and hard-earned proven track record for consistent delivery verses holding the Product Implementation Manager "accountable" for their poor planning, poor execution and unwillingness to follow established business processes, is a treacherous road to travel and it certainly penalizes the star performers who are willing to go above and beyond the call of duty, while poor performance is overlooked and, indirectly, rewarded.  This convergence of unfortunate circumstances resulted in a nasty HIPAA violation when customer and internal technology training sessions (and materials) were provided referencing the WRONG database containing LIVE customer billing data (ironically, an Implementation Team member sent out the wrong link).  This mistake exposed thousands of personal patient records to session attendees leading to the following HIPAA violations (a.k.a. "unintended consequences"):

  1. Formal complaints filed on the covered entity with the Federal Office for Civil Rights (OCR)
  2. Incident investigation conducted by the OCR (and covered entities are required by law to cooperate with complaint investigations).  This also includes the determination if the action could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), whereupon, the OCR may refer the complaint to the Department of Justice for investigation
  3. Notification of EVERY customer who's health care data was exposed, along with their respective patients
  4. Imposition of civil money penalties (CMPs) on the covered entity
  5. Potential lawsuits from exposed customers and/or their patients

Experience has shown accidents tend to be a result of a perfect storm of consequences stemming from a series of poor choices.  Something to remember as we confronted with a barrage of daily decisions and the need to carefully weigh our options.


~ ~ ~ ~ ~ ~
By: Venae Sears-Ellis, CEO & Senior Partner, VeNi Consulting, LLC (c)2011

~ ~ ~

No comments:

Post a Comment