Website performance is an important part of the customer experience. Here is a checklist from Vitaly Friedman that has just been published by Smashing Magazine.
Website performance is an important part of the customer experience. Here is a checklist from Vitaly Friedman that has just been published by Smashing Magazine.
A blog post by Eric McNulty reminds us of our simplicity over complexity core principle. In his post he addresses some of the reasons why simplicity is important.
Why aren't more things simple and why does complexity keep crashing in?
As Abraham Lincoln said, “I'm sorry I wrote such a long letter. I did not have the time to write a short one.” Mark Twain is also quoted as saying, "I didn't have time to write a short letter, so I wrote a long one instead."
Simplicity is hard. Simplicity requires knowing what is important and what is not. To overcompensate for not knowing organizations and people try to do everything and be everything.
So, if complex is easier, and simple is harder - why do I want to simplify?
Each of these items has a direct impact on the customer's expectations and the customer experience.
Two key approaches to remove complexity are:
Design all processes and products with the focus on the customer. Understand the needs of the customer and meet those needs as simply as possible.
Only add tasks, features, and functionality to your process and products that are absolutely required. Remove any that are no longer required. Leaving unnecessary bloat in your processes and products is a big cause of complexity.
Harvard Business Publishing Webcast - Take Complexity Out of Your Company, with Ron Ashkenas, author or Simply Effective.
We continually preach that customer experience is not user experience and user experience is not graphic design. However, a good customer experience requires a good user experience and a good user experience requires good graphic design.
Two resources that we like for learning more about graphic design are:
In the McKinsey&Company article "Debunking common myths about healthcare consumerism" by Jenny Cordina, Rohit Kumar, and Christa Moss they analyze the increasingly active role that consumers are taking in healthcare decision making and its impact on commonly held myths.
The first myth that they show to be false is that "consumers don't bring the same expectations about customer experience to healthcare that they bring to retail or technology companies."
The last myth that they address is "most people are willing to trust insurers to store their health records." As we have addressed many times, trust is extremely important for all customer experiences but it is critical when it comes to healthcare information. In their Consumer Health Insights Survey they found that a large majority would only trust their provider to store their patient generated health information. Only a small minority would trust their insurer or other commercial third-party companies.
We feel that patient privacy and confidentiality have become a headline items that don't get the detailed level of attention they deserve. Trust is a cornerstone of the customer experience. A patient-centered organization must exceed the privacy and confidentiality expectations of the patient to gain their trust and fully engage them. Even if you are one of those organizations that doesn't believe in the value of patient-centered care or the customer experience, patient privacy and confidentiality are still extremely important because they are the basis of many laws and professional ethical standards.
The AHIMA Code of Ethics includes the following applicable principles “I. Advocate, uphold, and defend the individual's right to privacy and the doctrine of confidentiality in the use and disclosure of information” and “III. Preserve, protect, and secure personal health information in any form or medium and hold in the highest regards health information and other information of a confidential nature obtained in an official capacity, taking into account the applicable statutes and regulations” (AHIMA Code of Ethics).
Protected health information (PHI) is protected by federal and state statutes and regulations. At the federal level HIPAA and the HITECH Act contain many rules that apply. They are the Privacy rule, the Security rule, the Enforcement rule, the Omnibus rule, and the Breach Notification rule (HIPAA for Professionals). Most states also have additional protections for sensitive PHI such as “alcohol and drug abuse, genetics, domestic violence, mental health, and Human Immunodeficiency Virus (HIV)/Acquired Immune Deficiency Syndrome (AIDS)” (U.S. Guide to Privacy and Security).
The Standards for Privacy of Individually Identifiable Health Information, or Privacy rule, established “a set of national standards for the protection of certain health information” (U.S. Summary of HIPAA). A major goal of the rule is to assure the protection of PHI “while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being” (U.S. Summary of HIPAA).
The U.S. Department of Health & Human Services summarizes individually identifiable health information, or PHI, as (U.S. Summary of HIPAA):
Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Privacy rule protects all PHI “held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral” (U.S. Summary of HIPAA) from unauthorized disclosure. Unauthorized disclosure is any disclosure that is outside the scope of the permitted uses and disclosures. The Privacy rule identifies six categories of permitted uses and disclosures. They are “(1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities; and (6) Limited Data Set for the purposes of research, public health or health care operations” (U.S. Summary of HIPAA).
The Privacy rule doesn’t require every risk of unauthorized disclosure to be eliminated because it is “not intended to prohibit the treatment team from talking to each other and/or to their patients” (HIPAA - Incidental) and others may be in the same area and overhear the conversation. It “permits certain incidental uses and disclosures that occur as the by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards and implemented the minimum necessary standard […] with respect to the primary use or disclosure” (U.S. Covered Entities).
Administrative requirements associated with the Privacy rule include privacy policies and procedures, privacy personnel, workforce training and management, mitigation, data safeguards, complaints, retaliation and waiver, and documentation and record retention (U.S. Summary of HIPAA).
Data safeguards require that the facility “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure” (U.S. Summary of HIPAA). The “safeguards standard is flexible and does not prescribe any specific practices or actions that must be taken by covered entities” (U.S. The Nationwide Privacy).
The Security rule addresses “administrative, technical and physical safeguards specifically as they relate to electronic PHI” (HIPAA Privacy). It also includes organizational standards and policies, procedures, and documentation requirements (HIPAA Security).
Administrative safeguards required include “security management functions”, “assigning security responsibility”, “workforce security”, “information access management”, “security awareness and training”, “security incident procedures”, “contingency planning”, “evaluation”, and “BA contracts and other arrangements” (HIPAA Security).
Physical safeguards include “facility access controls”, “workstation use”, “workstation security”, and “device and media controls” (HIPAA Security).
Technical safeguards include “access control”, “audit controls”, “integrity”, “person or entity authentication”, and “transmission security” (HIPAA Security).
Additional details on the security standards can be found in the “Security Standards Matrix” on page 10 of the “Security 101 for Covered Entities” paper from the U.S. Department of Health and Human Services (HIPAA Security).
According to HHS “a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless the CE or BA demonstrates (based on a risk assessment) that there is a low probability that the PHI has been compromised” (U.S. Guide to Privacy).
The Breach Notification Rule was last updated as part of the Omnibus rule in 2013 and it replaced the risk of harm standard with an objective risk assessment based on (1) “the nature and extent of the protected health information involved, including the types of identifiers and the likelihood that PHI could be re-identified”, (2) “the unauthorized person who used the PHI or to whom the disclosure was made”, (3) “the likelihood that any PHI was actually acquired or viewed”, and (4) “the extent to which the risk to the PHI has been mitigated” (U.S. Guide to Privacy).
Unless the risk assessment demonstrates a low probability that the disclosure compromised the PHI or the data has been encrypted rendering it “unusable, unreadable, or indecipherable” (U.S. Guide to Privacy) the breach needs to be reported. The “who and when” of the reporting depends upon how many individuals were impacted.
“Affected individuals must be notified without unreasonable delay, but in no case later than 60 calendar days after discovery” (Legal Alert Breach). If more than 500 residents of a state or smaller jurisdiction are affected then “a prominent media outlet that is appropriate for the size of the location with affected individuals” (Legal Alert Breach) must be notified. If more than 500 individuals are impacted then HHS must be notified at the same time as the individuals (Legal Alert Breach). If less than 500 individuals are impacted then HHS must be notified within 60 days after the end of the calendar year (Legal Alert Breach).
Many states have additional breach notification reporting requirements and timelines. For example, in the State of Florida the Florida Information Protection Act of 2014 also covers PHI. Breaches must be reported within 30 days of discovery with a possible extension of 15 days. If the breach affects 500 or more persons notice must also be made to the Florida Department of Legal Affairs (Legal Alert New Florida).
The Office for Civil Rights (OCR) initiates investigations based on complaints, breach reports, periodic audits, and other sources. The penalties vary for each of four levels of violation. The levels are “violations that the entity did not know about and would not have known by exercising reasonable diligence”, “violations due to reasonable cause”, “violations due to willful neglect that are corrected within 30 days”, and “violations due to willful neglect that are not corrected within 30 days” (U.S. Guide to Privacy).
The Office of the National Coordinator for Health Information Technology suggests a “seven-step approach for implementing a security management process” (U.S. Guide to Privacy). The seven steps are “Step 1: Lead Your Culture, Select Your Team, and Learn”, “Step 2: Document Your Process, Findings, and Actions”, “Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)”, “Step 4: Develop an Action Plan”, “Step 5: Manage and Mitigate Risks”, “Step 6: Attest for Meaningful Use Security-Related Objective”, and “Step 7: Monitor, Audit, and Update Security on an Ongoing Basis” (U.S. Guide to Privacy). Some of the key areas that help avoid willful neglect claims are training, developing “a culture of protecting patient privacy and securing patient information” (U.S. Guide to Privacy), risk management and mitigation, monitoring and auditing, and documentation.
The first phase of the OCR audits included 115 covered entities and took place during 2011 and 2013. The second phase has just begun and will continue into 2016. Sixty one of the covered entities were healthcare providers. More than 98% had at least one negative finding regarding Security rule compliance. The breakdown of the findings were 60% related to the Security rule, 30% related to the Privacy rule and 10% related to the Breach Notification rule. Within the Privacy rule findings 26% involved lack of or inadequate training. In fact, “HHS officials who spoke at” a HHS-NIST conference “indicated their belief that inadequate workforce training was a key factor in yielding these audit findings” (Solove). Additionally, in 30% of the findings the root cause was “entity unaware of the requirement” (Solove). As Daniel Solove says “essentially, the conclusion is that non-compliance wasn’t due to confusion or misunderstanding of the rules. The rules were clear.” (Solove).
"AHIMA Code of Ethics." AHIMA Code of Ethics. AHIMA HIM Body of Knowledge, 2 Oct. 2011. Web. 20 Dec. 2015.
"HIPAA for Professionals." HHS.gov. United States Department of Health & Human Services, Jan. 2013. Web. 18 Dec. 2015.
"HIPAA - Incidental Disclosures of PHI." HIPAA - Incidental Disclosures of PHI. University of Chicago: HIPAA Program Office, Oct. 2006. Web. 19 Dec. 2015.
"HIPAA Privacy & HIPAA Security." West Virginia State Privacy Office. State of West Virginia, n.d. Web. 17 Dec. 2015.
"HIPAA Security Rule Overview (Updated)." Journal of AHIMA 84.11 (2013): 1-6. Nov.-Dec. 2013. Web. 19 Dec. 2015.
"Legal Alert Breach Notification Standard Changed by HIPAA Omnibus Final Rule." Breach Notification Standard Changed by HIPAA Omnibus Final Rule: "Risk of Harm" Standard Replaced with More Objective Test. N.p., 22 Jan. 2013. Web. 17 Dec. 2015.
"Legal Alert New Florida Information Protection Act Expands Data Breach Notification Requirements." McGUIREWOODS. N.p., 3 July 2014. Web. 17 Dec. 2015.
"New HIPAA Breach Notification Rule May Prove Costly for HIPAA-Covered Entities." Duane Morris LLP. N.p., 25 Jan. 2013. Web. 17 Dec. 2015.
"Safeguarding Visual PHI from Prying Eyes." HIPAA Security & Privacy STAFF TRAINER (2004): 1-8. Brownstone Publishers, Inc., Oct. 2004. Web. 18 Dec. 2015.
Solove, Daniel. "The Most Alarming Fact of the HIPAA Audits - TeachPrivacy." TeachPrivacy. Teach Privacy, 03 Nov. 2014. Web. 20 Dec. 2015.
United States. Department of Health and Human Services. Center for Medicare & Medicaid Services. 1 Security 101 for Covered Entities. Center for Medicare & Medicaid Services, Mar. 2007. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. Covered Entities and Business Associates. HHS.gov, Jan. 2013. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. Summary of the HIPAA Privacy Rules. HHS.gov, Jan. 2013. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework). HHS.gov, Jan. 2013. Web. 18 Dec. 2015.
United States. Department of Health and Human Services. Office of National Coordinator for Health Information Technology. Guide to Privacy and Security of Electronic Health Information. HealthIT.gov, Apr. 2015. Web. 17 Dec. 2015.
United States. Department of Health and Human Services. Office of Civil Rights. WellPoint Pays HHS $1.7 Million for Leaving Information Accessible over Internet. HHS.gov, 11 July 2013. Web. 18 Dec. 2015.
Many U.S. Department of Health and Human Services (HHS) audits and enforcement activities have found HIPAA violations that are the result of people who should know better violating the law because of ignorance or willful neglect.
Recently the HHS Office for Civil Rights "took an important step toward ensuring that individuals can take advantage of their HIPAA right of access" by releasing additional guidance on the subject.
They did this because "based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule."
Regulatory, legal, ethical, and technical issues aside - customer trust, a major customer experience factor, is based on the foundations of transparency and the customer's ownership and control of their personal information.
Brian Kalis, John Froehlich, Adam Burke, and Marc Warren of Accenture have published "Losing Patience: Why Healthcare Providers Need to Up Their Mobile Game."
Their findings include:
Harprett S. Sood, M.D., David Bates, M.D., and Aziz Sheikh have published a set of recommendations related to "Leveraging Health Information Technology to Achieve the Triple Aim" of "better care experiences, better population health, and reduced per-capita costs."
They list a set of findings and recommendations for improving EHR systems and acknowledge that "much more than technology will be needed to transform health care delivery and achieve the triple aim."
Many of their recommendations are focused on improving the patient experience, care coordination and collaboration, encouraging best clinical practices, and reducing clinical care variation.
I was reading an article and they used the term optimization as if it were a higher-level goal than management. I feel that using "Customer Experience Optimization" as compared to "Customer Experience Management" is a marketing slight of hand that is simply saying that the Optimization part of Management is different and more important than the entire Management life-cycle process.
Just to be clear; service and process management involve a life-cycle that includes Optimize as one of the core activities. Just image Google search "Business Process Management" and you will see that some form of Optimize is part of every business process management (BPM) life-cycle definition.
Business process management is the study of the design and execution of processes. A business process is a step-by-step algorithm to achieve a business objective. Business processes are assets to be managed, designed, and continuously improved to enhance outcomes and performance. The process management life-cycle definition that I prefer includes (1) strategy, (2) design & model, (3) implement & execute, (4) monitor & analyze, and (5) optimize.
The process management life-cycle is not the customer life-cycle, nor is it the customer journey, nor is it the customer experience life-cycle. It is a business management discipline that encompasses many different methodologies and tools to optimize business operations to meet the business strategy, mission, and goals.
On the real point of the article - Customer Centricity - I am in agreement with the author. I also believe that the best way to improve outcomes, performance, and business value is to put the customer at the center of the business strategy, mission, and goals.