Information Security and Compliance through the Prism of Healthcare and Retail
John Mancini

By: John Mancini on February 21st, 2018

Print/Save as PDF

Information Security and Compliance through the Prism of Healthcare and Retail

Compliance  |  Healthcare  |  Information Security

Organizations must focus strategically on how to manage digital content and understand that: 1) end-users are consuming technology differently; 2) consumer devices are being increasingly used as “on-ramps” to digital workflows; and 3) how you secure the scan and capture process becomes increasingly important.

Let’s explore how these concepts relate to two specific industries – healthcare and retail.

1. Healthcare at the practice level illustrates the challenges of matching small business IT resources with highly complex compliance requirements.

Moving patients efficiently through a single or multi-physician practice while handling the necessary workflow to keep it operating is a daily challenge. While health information and technology intends to connect payers and providers, many small medical practices struggle with balancing the business side of their practice with effectively delivering healthcare.

Medical Economics summarizes the challenge this way:

“If you feel like you’re glued to your computer or tablet for much of the day, it’s not your imagination. Many physicians say mounting paperwork is keeping them from spending enough time with patients. In The Practice Profitability Index, the percentage of physicians who spend more than one day per week on paperwork increased from 58% in 2013 to 70% in 2014.”

Get Your Free Report: Information Security - Checking the Locks

HIPAA (the Health Insurance Portability and Accountability Act of 1996) requirements are an important part of any healthcare practice. HIPAA privacy rules protect all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The HIPAA Privacy Rule calls this information "protected health information (PHI)." “Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.

The kinds of documents that must be managed in a typical practice range from actual patient records to ID cards to registration forms to lab results. They must also make sure that all of this information be kept secure, and maintain all of the forms and approvals necessary to demonstrate HIPAA compliance. The old days of managing paper patient folders are numbered, and small practices with very little IT support or resource must manage integration of patient information with electronic records systems like EPIC, Meditech, and Cerner.

The stakes for non-compliance are significant. The Department of Health and Human Services, Office for Civil Rights (OCR), may impose a penalty on a covered entity for a failure to comply with a requirement of the Privacy Rule. These penalties can range from $100 to $50,000 or more per violation, up to an annual maximum of $1.5 million.

2. Retail provides useful lessons in the importance of decentralized capture and the security challenges it creates.

Brick and mortar retail businesses face a host of challenges. “This past year, the expansion and fluidity of e-commerce has continued to challenge traditional retailers to reinvent their strategies of engaging customers. However, brick and mortar stores are answering back, personalizing the shopping experience to compel consumers to keep venturing through their doors.” (What's In Store For 2018: Four Retail And Point-of-Purchase Industry Trends)

In Why Isn’t Retail High-Tech, Juston Patton describes the challenge facing many retail companies:

“To be fair, brick and mortar isn’t allergic to technology, but fixated on process. New problems are often tackled by tweaking store labor and process changes rather than providing new tools. With thin margins, reliable traditional layouts, and sprawling infrastructure across hundreds or thousands of locations, it’s easy to see how costs can get out of hand quickly with even relatively small, new tech additions. In retail, tech is often boiled down to its absolute minimal viable product to keep costs manageable.”

Patton further notes, “As the more forward-thinking retailers will tell you: It’s not about finding a silver bullet technology, it’s about tying together the strengths of many smaller, less expensive systems for maximum impact.”

Retail companies must manage a host of documents, including end of day reports, merchandising setups, customer invoices, and even shelf and name tags, which makes scanning and capture a particularly good fit for retail companies. The benefits of creating a systematic and secure document workflow between stores and headquarters have been long-documented.

Frequently the expense of implementing a solution can be justified just by the savings in overnight delivery and courier services. On top of the increase in productivity, such a solution can also dramatically increase the security of information, which is particularly important in an industry like retail.

Compliance to the Payment Card Industry Data Security Standard (PCI DSS) in the U.S. and the European GDPR (General Data Protection Regulation) provide good examples of the rising stakes associated with management of personal and financial information. All companies that accept, process store or transmit credit card information must maintain a secure environment.

If your organization does business in the EU, offers goods and services to EU citizens, or processes EU citizen data, then all the provisions of GDPR apply. Would all of this apply to a retail company taking web orders from European citizens? The short answer is yes.


Free eBook: Information Security - Checking the Locks

About John Mancini

John Mancini is the President of Content Results, LLC and the Past President of AIIM. He is a well-known author, speaker, and advisor on information management, digital transformation and intelligent automation. John is a frequent keynote speaker and author of more than 30 eBooks on a variety of topics. He can be found on Twitter, LinkedIn and Facebook as jmancini77. Recent keynote topics include: The Stairway to Digital Transformation Navigating Disruptive Waters — 4 Things You Need to Know to Build Your Digital Transformation Strategy Getting Ahead of the Digital Transformation Curve Viewing Information Management Through a New Lens Digital Disruption: 6 Strategies to Avoid Being “Blockbustered” Specialties: Keynote speaker and writer on AI, RPA, intelligent Information Management, Intelligent Automation and Digital Transformation. Consensus-building with Boards to create strategic focus, action, and accountability. Extensive public speaking and public relations work Conversant and experienced in major technology issues and trends. Expert on inbound and content marketing, particularly in an association environment and on the Hubspot platform. John is a Phi Beta Kappa graduate of the College of William and Mary, and holds an M.A. in Public Policy from the Woodrow Wilson School at Princeton University.