Privacy Officer Desk
Did You Know?
An electronic health record system (“EHR”) contains a wealth of information on individuals, including sensitive health data and confidential personal data. That data is presumably collected and maintained for legitimate business purposes, and health care entities and their business partners routinely access, use, and disclose that data for the benefit of individuals. In a hospital or health system setting, an EHR will have millions of accesses to that data. Privacy officials in those institutions routinely tackle the questions of who may access that data, as well as how those access decisions are made and enforced. Why is access to the data a concern if it is collected and maintained for use by the institution? Why does anyone need to worry about access by healthcare professionals who are currently treating, or have treated in the past, an individual? The easy answer to these questions is that federal, and often state, laws require care and concern over the security and privacy of health data. Monitoring of access to health information is mandated in the Security Rule of HIPAA -- a “standard” of required technical safeguards.
During auditing and monitoring of systems that contain health information, an institution may discover inappropriate accesses that fall outside of recognized industry standards and institutional policies. Someone who does not routinely work in the healthcare field may do a shrug of the shoulders and react to the discovery of an inappropriate access with a “so what” attitude. What’s the big deal? Who cares? Who is going to know in the long run? Who is harmed? It is our job as healthcare privacy professionals to be able to answer those questions, and to ensure that there is a program in place to secure health information and to limit the instances of inappropriate behaviors.
The health and safety of patients is every healthcare provider’s primary responsibility. When health data is compromised in any way, securing the health and safety of patients may also be compromised. Someone who may be inappropriately accessing health records may also be compromising that data – amending or deleting information. While such behavior may be considered extreme, it is not out of the realm of possibility for someone with a nefarious goal. The fact that we do not always know the intentions of a violator means that we cannot make assumptions about that person’s intentions. A more common reason for someone inappropriately accessing health data is simply snooping -- being nosy or curious. Someone with these intentions may or may not compromise the information, but very often we see those individuals sharing the information either verbally or on social media sites. The temptation to share a tidbit of information learned about a friend, family member, neighbor, co-worker, or celebrity is just too tempting to keep to oneself. Inappropriately accessing health information for personal gain is also very tempting, as health records contain almost every bit of personal information necessary to obtain a driver’s license, get a loan, or obtain health treatment on someone else’s dime, along with other financial crimes. Recent reports indicate that a stolen health record may sell for up to $1,000.00, thus making it a valuable commodity.
The reality for all privacy officials is that no one can prevent every instance of inappropriate behavior, but that does not mean that we simply “look the other way” and hope for the best. Having robust privacy and security programs that train, guide, inform, and sanction healthcare teams is a must in today’s complex healthcare data environments. HIPAA requires no less, but just as important as complying with regulations is securing the trust of patients and healthcare partners alike.
The healthcare industry currently tends to focus on cybersecurity challenges, and rightfully so as instances of security breaches due to hackers and lax security protocols lead to numerous healthcare systems being compromised and crippled, with health data being held hostage. The numbers of patients and health plan members affected by these cyber incidents is staggering, and the monetary cost to institutions to investigate the incidents and repair the damage is also staggering. Yet, it is important not to forget the individual incidents of inappropriate behavior that affect patients and plan members, as the cost to those individuals can be just as steep on a more personal level. The erosion of trust in one’s healthcare team due to the inability to protect the most sensitive of personal data is a difficult hurdle to surpass and can directly affect an individual’s ability to achieve positive treatment results. Erosion of institutional reputation is also a serious side effect of repeated breach incidents.
Privacy officials must not ignore singular incidents of inappropriate behavior and inappropriate accesses to health data. Access rights to records systems begin with policies and procedures to ensure that only those who need to access the data can do so, and when those accesses are no longer necessary, they are not only discouraged but prevented. Monitoring of health data systems is a requirement under the Security Rule of HIPAA, but more importantly it is necessary to ensure that patient data is secure and safe from prying eyes or misuse for unintended purposes, such as identity theft. Institutions that ignore the simple and basic premise of a secure EHR system run the risk of eroding patient trust and corporate reputation. The cost to repair that non-tangible damage may be insurmountable, and a cost that cyber liability insurance cannot repair.
Proactive compliance efforts are a must for privacy officials in all levels of the healthcare field. Whether an institution is involved in direct care and treatment, payment services, software services, sales of equipment and products, or other areas of healthcare services, securing patient records and information is paramount to regulatory compliance and building and maintaining patient trust. Privacy is NOT a by-product of care. Privacy is a vital component of care not to be ignored or shortchanged.
In a rapidly changing regulatory environment, securing compliance with rules and policies is challenging. In order to stay ahead of these changes, concentrating on the basics of compliance plans is a must. However, even with robust plans and concentrated efforts, violations may occur, particularly in settings where there are multiple organizational settings and tiers of management.
How do privacy officials in these complex environments control risk and mitigate the effects of incidents?
Planning, preparation, training, and consistency are vital aspects of any compliance plan and are particularly important in disjointed or complex settings. Engaging with management at all levels is paramount to securing compliance at all levels.
Despite an organization’s best efforts, when a privacy violation does occur, responding with appropriate levels of care and concern will help to enhance future efforts and to empower compliance teams to continue to enforce policies, improve plans, and identify possible flaws. Once the “rush” of mitigation and response to the violation has passed, privacy teams are faced with opportunities, and in some instances requirements, to improve their programs or tweak their processes. Rather than panic, taking measured and deliberate steps will normalize privacy compliance efforts and assist with reducing risk. Many privacy incidents require an assessment under HIPAA, but evaluating the situation beyond a specific incident improves the overall effectiveness of compliance efforts in the long term.
Consider the following steps post-violation:
- Evaluate whether the incident occurred due to something amiss in the privacy compliance plan -- a missing or flawed policy; lack of specific or effective training; lack of documented procedures; miscommunication with a specific department or workforce member -- all of which may be promptly rectified.
- Evaluate whether the type of incident has occurred on more than one occasion, requiring a refocus of efforts in a particular area or department. It is important to pay attention to those repetitive issues that may not rise to the level of a reportable incident but that could contribute to unnecessary risk, such as sloppy search and access habits in an EHR.
- Evaluate the compliance or privacy department’s staffing levels to determine if outside assistance is necessary, even if just for a short period of time. Staff shortages force compliance teams to “cut corners” or put aside some enforcement or training efforts due to time and task constraints.
- Evaluate whether the compliance or privacy department has the proper tools and software to assist with its efforts. Tools that help to identify risks and possible violations before incidents become reportable reduce staff time, effort and burnout, and bolster compliance efforts. Being able to document, to both upper management and government regulators, that compliance efforts go beyond “checking the box” increases the likelihood of positive outcomes when working toward reducing risk.
- Evaluate whether focus needs to be shifted, even on a temporary basis, to address systemic issues. All the policies and training in the world won’t fix a broken system. Self-evaluations and assessments may need to be conducted to determine whether the plan itself is truly addressing the organization’s structure, needs, and problems, and then difficult discussions and decisions may need to take place.
Cross-department compliance efforts begin with engaging department leaders and showing the benefits of working together. A serious privacy violation can cause havoc throughout an entire organization and be very costly. Department leaders need to understand the fall-out that their areas may experience. Sharing the compliance plan and getting others involved in enforcement goes a long way to enhancing compliance with both company policies and government regulations, thus reducing the risk of serious privacy violations. Yet when violations occur, using those experiences as learning opportunities and building blocks can improve future outcomes and keep compliance programs fresh and relevant. Turn a negative into a positive and forge ahead with improvements, enhancements and increased knowledge.
So often today we hear about and focus on data security, including cybersecurity issues, hacking incidents, security regulations, security breaches, and increased industry standards. There is, however, another very important component of data handling that is vital to customer trust, patient trust, and ethical data processing — Data Privacy. Many individuals believe that data privacy and security are one and the same, and while they do have crossover benefits and responsibilities, these are two separate concepts requiring independent attention.
The European Union’s General Data Protection Regulation, or GDPR, was predicated upon the principle that the privacy of one’s personal information was a basic human right. While we have not yet wholly adopted that premise in the United States, many privacy advocates believe that we should as one’s personal information is the basis of who we are and how we exist in the world.
There is a reason that HIPAA breaks privacy and security into a Privacy Rule and a Security Rule. Equally important to the processing of health data, each Rule sets forth the specifics of handling personal data, whether in spoken, written or electronic formats. The Privacy Rule establishes the basic principles of health data use and disclosure and provides for patients and health plan members to have some direction over those uses and disclosures of their own information. Patients and plan members are afforded certain rights relating to their health data under the Privacy Rule, and the Rule sets forth conditions under which entities may collect, use, and disclose the health data of their patients and plan members. Provision of health care cannot be accomplished without collection and sharing of data, but doing so in an ethical, consistent, and transparent manner is vital to building and maintaining trust in the health field.
The Security Rule establishes the basic requirements regarding safe handling of electronic health data. This Rule sets out mandates for system security protocols, along with administrative and physical safeguards needed to protect and secure electronic data, both at rest and in transit. Only data that is collected, maintained, used, and disclosed in electronic forms is subject to the HIPAA Security Rule, which realistically accounts for the majority of health data today.
To better appreciate the concept of privacy in the handling of data, we must recognize the basic tenets of data privacy, as follows:
- Legitimate purpose for collection, use, and disclosure
- Lawfulness, and
First, ensuring that there is a clear and necessary purpose for obtaining and using the data is vital. This is often referred to as having a “business need” for the data. In a healthcare setting, that generally means treatment and payment purposes, along with compliance activities. Second, collecting, using, and disclosing the data in ways that are honest and ethical, treating all individuals with dignity and respect, is that very important component of a “basic human right” that everyone deserves. Healthcare data should never be used for purposes not originally intended without the proper authorization or approval. Third, complying with applicable laws and regulations that govern the healthcare industry ensures that we are always processing data under accepted industry standards. Compliance is not a suggested component of data privacy, but rather a mandatory aspect of handling other people’s information. Finally, being transparent about how we collect, use and disclose data, never being secretive or underhanded, overlays the other components of data privacy. Patients place their trust in their healthcare providers and those related partners engaged to assist with care and compliance efforts, and transparency ensures that individuals understand who has their data and how that data is being used on an ongoing basis.
Building and maintaining a privacy program that encompasses these basic tenets ensures that operations proceed under a culture of compliance and goes a long way to ensuring business success. A business cannot have success if it does not have the trust of its customers, and for healthcare entities and their patients and plan members, trust is paramount to successful outcomes.
We continue to see more and more attention being given to individuals’ privacy rights as additional legislation is considered and enacted in the United States and beyond. Many of these laws and regulations focus on consumer privacy rights, and healthcare data is often “ignored” as some believe that there are sufficient laws already on the books, such as HIPAA. However, HIPAA went into effect 20+ years ago, and while there have been enhancements, amendments, and updates to the regulations over the ensuing years, some privacy advocates argue that the underlying law is outdated and has not kept pace with the rapidly changing healthcare landscape, including the automation of treatment and payment. Some industry experts believe that HIPAA should be scrapped and replaced with a new updated and more stringent law, while others believe that HIPAA is still very relevant and simply needs further amending.
Where we end up is not known, of course, but those of us working in the field of healthcare privacy understand and appreciate that privacy is at the forefront of any regulation involving health data, and whether changes are made to existing laws or not, respect for an individual’s personal data cannot be compromised as it equates to respect for the individual.
Ethical behavior in any business setting is vital to building trust with customers, partners, vendors and employees, ensuring compliance with laws, regulations and industry standards, and building a strong foundation for success. Setting the tone and example for ethical behavior begins with a company’s leadership team, and those ethics should permeate the company through policies and procedures that state what is expected for internal and external relationships. Repeated reminders of what is expected is important, but the day to day operations and business dealings set the stage for continued ethical success.
Ethics are generically defined as “moral principles that govern a person’s behavior or a certain activity.” In the context of a company or business, that definition is more broad, as it deals with decision making and commercial communications and relationships. In some instances, ethical behavior simply means following the law and adhering to regulations and rules. However, ethical behavior in most business settings is not limited to what is legal, rather the concept is more expansive and extends to what behaviors are acceptable in a particular setting and under a particular circumstance. Fair dealing and civility are important components of ethical business behavior.
In a healthcare setting, ethical behavior is particularly vital as we deal with individuals’ health and well being and with their most sensitive and personal information. Most hospitals, health systems and clinical settings insist on adherence to very strict ethical and moral standards of dealing with patients and third parties. An individual’s life could very well depend upon an employee’s ethical behavior.
Many of us who work in the healthcare field are on the front lines of interactions with vulnerable individuals who are relying upon our sense of duty, fairness, empathy, and compliance with laws and industry standards. Institutions that take ethics seriously will have appropriate policies and procedures that foster compliance with laws and regulations, but also establish values that build trust and respect for all individuals. Ethics is a “top down” concept that begins with leadership but is then fostered, encouraged and demanded throughout every level of the organization. Every employee of an organization should understand the company’s values and principles and should feel empowered to maintain strong ethical behavior and demand the same from co-workers, managers, vendors, partners, and other business contacts.
As we celebrate Corporate Compliance and Ethics Week in the healthcare industry we should all remember that strong ethics and moral fortitude are important for each of us, and we can spread and share those values and beliefs with everyone around us by exhibiting those behaviors in our daily lives and dealings with others. Compliance with laws and regulations, and with policies and procedures, will flow naturally from those strong and consistent ethical behaviors. Fostering a work environment that encourages integrity and ethical behavior ensures compliance efforts are meaningful and achievable — doing what is right even when no one is watching is a long-standing attribute for everyone to follow in all settings. Martin Luther King, Jr. said it best when he noted “The time is always right to do what is right.”
Protenus is proud to associate with so many wonderful and caring partners, and we congratulate all of our customers as we celebrate Corporate Compliance and Ethics Week!
Many regulations require written policies and procedures, including HIPAA and HITECH. Developing and implementing policies and procedures is time consuming, as is maintaining them to ensure that they are current and truly represent a company’s operations. So why bother with the effort? Here are a few high-level reasons:
- Ensure regulatory compliance
- Articulate and share guiding principles for your organization
- Ensure employee awareness of the rules
- Maintain industry best practices
- Keep everyone on the same page
- Adhere to company values, and
- Because it is the right thing to do.
Effective policies are generally standardized across an organization, with the following elements:
- An effective date
- A clearly stated purpose and scope
- Standard definitions
- A succinct policy statement
- Inclusion of related procedures (if not set forth in a separate document)
- References to related policies and other sources of information, and
- A stated owner and/or person to contact for questions.
Policies must be relatable to your business operations, easy to understand, and with an ability to be amended as regulations and industry standards change. Policies must also be available to your workforce to read, acknowledge, and refer to when necessary. Employees cannot be held accountable for adherence to policy requirements if the policies are not available to them for review.
There are many tools available online to assist organizations with crafting effective policies. Larger organizations generally have departments responsible for policy management. Keeping policies fresh and relevant is vital to effective organizational communication and compliance. Don’t be afraid to explore your organization’s policies and ask questions for clarification. Employee feedback can be key to effective policies.
For insights on the latest HHS breach data and recommendations for better protecting patient privacy at your organization, read our blog post, Latest HHS Breach Data Underscores Importance of a Comprehensive Privacy Protection Strategy.
In a world of constant data security threats, hacking incidents, and bad actors looking to do maximum damage to corporate reputations and individual privacy and security, data — including sensitive and personal information — has become vulnerable and at risk. Protected health information (PHI) is the most private of information and is also at risk on multiple provider and vendor sites. Entities lacking robust security and privacy protocols can be easy targets for hackers and cyber criminals. Even those companies that do follow the rules and provide extensive security and privacy safeguards can be hacked by very sophisticated bad actors. The cost of remediating a data security incident can be exorbitant and if a business is not properly insured for such a loss, it can be catastrophic for that business and its customers, patients, partners, and investors.
Cyber liability insurance, also occasionally referred to as “data security” coverage, is vital for any business that maintains lots of data and does business in the cloud or over the internet. It is particularly important to healthcare companies and their business associates who are all maintaining, sharing, using and disclosing PHI. A recent report revealed that the average cost to remediate a major healthcare data breach has surpassed $10 million. Some of the costs related to a healthcare breach include, but are not limited to, preparing and mailing notification letters to affected individuals, setting up a website and/or call center to field questions and address issues, notifying the media and having alternative means of notification to affected individuals, providing for credit monitoring and fraud recovery services, payment of attorney and forensic investigation fees, and payment of fines assessed by state and federal regulators. The internal costs, which are unlikely to be covered by insurance, include staff time to investigate and remediate the issue, along with adjustment to policies, procedures, and systems to correct the problems and prevent any future events, system downtime, and purchase of new or enhanced software products.
The industry is now also dealing with class action lawsuits in states that permit those actions as a result of breaches or cyber incidents. The costs to defend and settle these suits can be staggering, and without cyber liability insurance, could likely bankrupt a small business and seriously affect the operating budget of a larger institution. Insurance coverage for these losses has now become an accepted cost of doing business, but that cost is rising significantly. Some insurance companies have stopped offering this coverage as recent losses over the past few years have been extremely high. Companies that still offer cyber liability insurance have raised rates to astronomic levels, forcing businesses to rethink their overall insurance programs as well as adjusting operating budgets and enhancing privacy and security programs.
How can a business, small or large, improve its chances of obtaining cyber liability insurance coverage and minimize the cost of that coverage? Here are a few points to consider:
- A robust privacy and security program is vital to showing insurance companies that your business is serious about securing data.
- Policies and procedures that require stringent privacy & security protocols and are mandatory for compliance within your organization are vital.
- Performance of an annual privacy & security risk analysis, as well as an annual risk management assessment, are also critical to show the seriousness with which your organization views data security and also sets forth a plan to address shortcomings.
- Continuous training of your workforce and engagement with your third-party partners is important to keep privacy and security on everyone’s mind and enforce the rules within your organization related to privacy, security, and data handling.
- Compliance with federal and state regulations related to privacy and security.
- Inclusion of specific tools in your privacy and security programs that will enhance overall compliance efforts, such as privacy and diversion monitoring and alerting.
Remember also that a history of insurance claims, no matter the cause or reason, will affect the cost of obtaining any type of insurance coverage. A business needs to minimize its risks so as to minimize its incidents and thus minimize its claims. Being aware of issues, and being vigilant in addressing those issues, is essential to being able to obtain and afford cyber liability insurance in today’s ever risky data security world.
The Health Insurance Portability and Accountability Act (“HIPAA”), as amended, sets forth standards and requirements for both privacy and security of Protected Health Information (“PHI”). There are many nuances to protecting PHI, including specific privacy and security standards. And while the official HIPAA regulation contains the phrase “Administrative Simplification”, those rules and regulations can be anything but simple!
How does all of this work with privacy and security? Isn’t there a difference between the two concepts that requires them to be separately addressed? Yes and no. HIPAA does, in fact, separate the two concepts with the Privacy Rule and the Security Rule, each with individual mandates and requirements. However, the concepts of privacy and security should never be addressed so separately that one is given more weight than the other, or one is ignored in order to meet requirements of the other. The Privacy and Security Rules of HIPAA are intended to work together to protect the rights of individuals and to secure their PHI.
Many laws and regulations address either data security or individual privacy, but few address both as does HIPAA. The requirements for privacy and security under HIPAA are not mutually exclusive. Covered entities and business associates must comply with both the Privacy and Security Rules in even fashion, thus addressing both concepts contemporaneously. HIPAA mandates that covered entities and business associates have both a Privacy Officer and Security Officer, and while many organizations keep these functions very separate and distinct, the officials who serve in those roles should always be in contact and work together in order to provide a comprehensive plan for both privacy and security. An organization’s privacy policies and plans should complement the organization’s security policies and efforts, and vice versa. Compliance under the Privacy Rule does not allow for a “pass” under the Security Rule -- both privacy and security must be accounted for under HIPAA.
The specifications under HIPAA are generally tagged as either “required” or “addressable.” A required specification means that a covered entity or business associate MUST implement that specification. An addressable specification means that a covered entity or business associate must assess if the specification is appropriate and reasonable for its environment and thus determine if implementation is achievable. If the specification as written is deemed to be inappropriate or unreasonable, a party must implement an equivalent alternative measure that satisfies the intent and requirement of the written specification. “Addressable” does NOT mean that the specification may be completely ignored.
Robust security programs must have the following safeguards: technical, physical and administrative, all as set forth under HIPAA with specific standards and requirements. Access and audit controls fall under technical safeguards and are required to protect electronic PHI, or ePHI. Performing a risk analysis and having risk management reviews and procedures in place fall under administrative safeguards and are required to identify and reduce organizational risks that may jeopardize the security of PHI. Workstation security protocols and data back-up and storage procedures fall under physical safeguards and are implemented to provide a safe and secure work environment when accessing ePHI. There are many other safeguards and standards set forth under HIPAA that all covered entities and business associates must comply with, and it is important to stay vigilant with these requirements in order to protect and secure PHI in all forms. Utilizing artificial intelligence, or AI, to address some of these mandatory safeguards can mitigate risk, including reducing the risk of an inappropriate use or disclosure of PHI.
Many states have data security, data protection, and/or breach notification laws, but only 5 states have specific privacy-centered laws:
The laws are in various stages of finalization and roll-out, but all are based upon consumer protection concepts for individuals. These state laws codify protections for individuals who share personal information with businesses, or whose personal information is collected, used, and disclosed by businesses, often through website activity.
While the protections under these laws are not geared specifically to health information, all individuals who interact with businesses will have rights, and in some instances remedies, under these state laws. The privacy laws are loosely based on the European Union’s GDPR, and may provide stand-alone consumer protections, or provide additional protections in conjunction with other data security regulations.
There are 12 additional states considering specific consumer privacy regulations, but those efforts are either on-hold or adjourned at this time.