Why Hospitals Need to Rethink Privacy and Information Security Models

Halfway through 2020, we can safely say that the healthcare landscape is rapidly changing with the complexity of state and federal data privacy regulations, new technologies, creative patient care delivery models, and changes in our workforce practices and locations.

Congress continues their discussion of a national data privacy law, even as many states are working to step up their own state obligations where they feel that HIPAA alone is not enough protection for patient data.

Though much of the state discussions address general business data protection recommendations, the implementation of these laws may implicate health data as well. It’s no longer enough to just be compliant with HIPAA. With this added pressure, it is time to rethink the traditional HIPAA privacy and information security model.

Traditional Model

Many organizations have traditionally had one designated privacy officer, as required by HIPAA. The privacy officer might have other responsibilities in addition to this designation. Titles could include director or manager of health information management (HIM), general counsel, compliance officer, or, for larger organizations, corporate privacy officer. Many could be structured under the CEO, compliance office, risk management, or legal services.

A privacy officer’s chief responsibility is to lead the overall corporate privacy program. Responsibilities include monitoring privacy compliance related to privacy and confidentiality, serving as a liaison to regulatory accrediting bodies, partnering with cybersecurity on policies and procedures, monitoring systems development and operations for security and privacy compliance, and providing guidance related to business partner contracts.

Traditionally, privacy officers have worked to meet each of the HIPAA Privacy Rule’s obligations and to safeguard patients’ protected health information (PHI).

Much of this work consists of managing access and disclosure verification procedures, such as individual request of access for those who are the subject of PHI, emergency access, including next-of-kin requests, access by power-of-attorney or those with legal authority such as public health oversight bodies, coroners and medical examiners, or law enforcement.

Other obligations include strategic guidance regarding information resources and technology, assisting the information security officer with the development and implementation of processes and controls to ensure compliance with the administrative, physical, and technical safeguards of the HIPAA Security Rule.

Most organizations should already have responsive plans in place with toolkits that include comprehensive resources plans, policies, and procedures, sample notification letters, workflow diagrams, and breach risk assessment guidelines.

With the increased pressure coming from complex obligations of federal and state privacy regulations, patients are demanding more access and control over their health information. In addition, healthcare organizations are merging, divesting, or forming other creative partnerships and initiatives, such as implementing telehealth or building a specialty facility jointly funded by two healthcare organizations.

As these partnerships and relationships evolve, it may be time to move away from this traditional privacy and information security model to an approach that encompasses a better matching of privacy and security resource expertise to the new complex demands, and broader oversight for a more focused risk-based program. It’s time for healthcare to evaluate just how effective its privacy and information security programs are working.

An Expertise Team Approach

As the complexity of regulations continue to unfold, there are healthcare organizations that are shifting to an expertise-focused team model to ensure compliance with the increasingly numerous and complex state and federal laws related to patient and data privacy and security.

Other obligations that are starting to impact the accessibility, integrity, and confidentiality of data will include the 21st Century Cures Act, the information blocking rule, initiatives on advancing the integrity of social determinants of health data, and integrating clinical and administrative data.

In this new expert-team approach, team members would ultimately report to one privacy and information security compliance program oversight. This program would have greater visibility and responsiveness to the shifting healthcare state and federal privacy and data protection initiatives.

Consideration for an Expert-Team Structure

As covered entities assess their program integration, they will find that the traditional privacy officer spends a large amount of time working on routine privacy event investigations, patient complaint triaging, and clerical documentation.

It’s clear that this traditional structure does not allow seasoned privacy officers time to utilize their extensive expertise to evaluate and provide guidance into risk areas that required privacy-compliant design in this new complex health system structure.

In addition, privacy officers needed to be available to assess and manage the critical work coming from state and federal agencies as well as roll out process improvement initiatives. With a constant demand on the ever-decreasing healthcare dollar, the model allows prioritization for a risk-based approach. Touchbase calls and team meetings keep this expert model accountable in meeting the organization’s goals and expectations.

To allow for more flexibility and bandwidth, the privacy officer role can be expanded from single facility region oversight to a “super division” or an entire service line management concept that includes oversight and responsibility for the privacy programs in multiple state locations and service lines. This larger program oversight would then give privacy officers more time to focus on prevention through data analysis, provide tailored monitoring and education, and assess risks and identify mitigation strategies.

As healthcare organizations consider this type of new expertise structure, freeing up the privacy officer from the routine investigations could allow more collaboration in risk mitigation with other expert teams under a uniformed team to focus on their expertise.

Other expert teams that should be considered might include privacy incident management, information security officer, data leakage protection, audit and monitoring, and electronic health record compliance.

Privacy Incident Management

A privacy incident management team would manage privacy event investigations, spread case workloads, and document events. Even in a risk-based approach, HIPAA requires that all privacy complaints or potential issues be thoroughly investigated and resolved in a timely manner. Privacy event investigations are funneled to the incident team for investigation and follow-up. To streamline the process, there would be dedicated internal and external communication channels that lead to the incident team for a centralized gatekeeping and assignment function.

Information Security Officer

The regional information security officer (RISO) straddles a unique position in the organization. The RISO works closely with local staff to identify and resolve problems specific to a facility or market and surface those problems up to the enterprise level. In the opposite direction they also help drive enterprise-level controls down to market, thus helping ensure consistency and standardization of security controls across solutions regardless of who is managing that solution. The RISOs also work closely with expertise teams in IT delivery and support to ensure the right people are involved when designing and building solutions and responding to incidents and threats. The expertise teams would exist for various technical and functional towers allowing leverage and apply a best-of-breed model as they deliver solutions to the healthcare organization. The expertise teams would have the ability to stay abreast of risks, threats, and capabilities at a far greater level of detail than is necessary for an individual RISO and as such become critical partners in delivering privacy and security services as part of this team effort.

Data Loss Prevention

Under an effective expertise program, data loss prevention (DLP) requires proactive monitoring to detect malicious and negligent insiders, as well as data leakage risks. The DLP program should be focused on identifying the root cause and preventing data leakage, first by educating end-users or remediating insecure business processes. Traditional DLP tools, which monitor email, endpoints, and file servers, play a very important part—but the main goal is to guide these remediation efforts efficiently and effectively. DLP tools are a part of a safety net, in effect a data security control of last resort.

This expert team would streamline and manage a dedicated DLP program to manage a full spectrum of the healthcare organization. As outlined under an acceptable use policy, data loss prevention should monitor and quarantine PHI if identified as a threat to leaving the system outside of the required parameters. This DLP team would work within this team structure to mitigate the risk of PHI exposure.

Audit and Monitoring

While privacy officers have traditionally managed the role of audit log monitoring, this expert-team model would move much of this function to an automated process that identifies high-risk activities and access. This program could be partnered with a monitoring vendor to audit and monitor patient health data, and there are several out in the market that have this capability. The partnership with a monitoring vendor would allow organizations to detect improper access and handling of confidential data sooner than traditional DLP tools. Use of application-level monitoring and auditing tools allows detection of malicious insiders’ and outsiders’ activity as well as employees who are unintentionally mishandling data at the point of access, whereas traditional DLP tools only detect them at the point of exfiltration.

Electronic Health Record Compliance

Overall health and attention to the electronic health record (EHR) security and integrity must also be a focus for a health data compliance expertise team. EHR design and use in 2020 and beyond will be impacted at every point of service.

For example, fast healthcare interoperability resources (FHIR) will impact healthcare EHR systems by forcing EHR vendors, who must be certified by ONC, to include APIs to automate not only patient direct access requests, but also many other forms of health information exchange. All record systems in healthcare that serve as designated record sets will also have to accept a patient’s choice to get copies and to attach other medical records for inclusion in that system. How this will all be implemented while maintaining security and privacy is yet to be determined. There are many hurdles to overcome in getting these applications—and the patients who use them—operational. Privacy and security expertise compliance staff must determine the correct processes that will be most proactive for use of the data while also meeting the regulatory requirements.

An example of an expert-team approach would be to implement a process to review the compliance of health information systems technology as each is brought into the healthcare record platform.

One approach under a unified-team approach would be to create an EHR health information technology assessment tool. This one-system technology overview approach would include a review of new products and solutions impacting EHRs, such as patient and consumer portals, health information exchanges (HIE), and other applications handling patient data.

The assessment tool should include any initiative or project related to health IT where patient information is going to be used or exchanged. This EHR expert-team approach is to ensure the production, integrity, and authenticity of the patient health information created, maintained, utilized, or transmitted within the organization’s IT system and solutions.

This one-compliance health IT review approach would give covered entities a holistic picture of the quality of the health data and systems and allows the team to stay focused and agile to ongoing needs of the organization, addressing the highest compliance risks in health IT arenas.

Working Smarter, Not Harder

This “work smarter, not harder” expertise approach would allow organizations to be responsive to the changing risk in the healthcare setting.

Not all healthcare organizations may have the robust tools or maturity in place to make a full break from the traditional structure of privacy data protection, but each can start with small steps to align their programs based on their organization’s goals and objectives.

This expertise model allows for a focused strategy to prepare and lessen risk to PHI and mitigation in the event of an occurrence, such as a privacy or information security data breach. As the industry moves through 2020 and beyond, other partnerships in the organizations will require attention based on the complexity of privacy and information security.

The protection of patients’ data is vital to patient care and treatment continuity. As healthcare resources are stretched and workplace structure evolves, we need to remain vigilant to do the right thing for our patient population. We must continue to protect the accessibility, integrity, and confidentiality of our patients’ health data.

Judi Hofman (judihofman@catholichealth.net) is NW division privacy officer, CommonSpirit Health, parent company of Catholic Health Initiatives and Dignity Health.

[box type="info"]

Continuing Education Quiz

Review quiz questions and take the quiz based on this article, available online.

• Quiz ID: Q2029108
• Expiration Date: August 1, 2021
• HIM Domain Area: Information Protection: Access, Disclosure, Archival, Privacy and Security

[/box]