- Last week, we discussed some current privacy initiatives and concentrations with Kevin Haynes, the Chief Privacy Officer of Nemours, on HealthITSecurity.com. But in addition to his own work, Haynes described how patient privacy work must align with security and other compliance projects. It helps that Haynes spent nearly 20 years in IT and also served as the security officer for Nemours before he became its Chief Privacy Officer.
Haynes said he collaborates with the current Nemours security officer, adding that “systems have changed so I work very closely with the Nemours security officer whenever there are technology issues that pop up.” The most common data breach examples, from Haynes’s experiences, haven’t been related to technology. Instead, according to Haynes, many breaches have involved paper records, as many times someone will mail out the wrong medical or billing records. When it comes to the number of people impacted, Haynes believes technology has the greatest chance of being a contributor because so much patient data can be stored in small devices.
I work closely with the security officer when we’re implementing new systems or are looking at scanning [data] and we focus on specific algorithms and keys. For instance, we were looking at data loss prevention (DLP) and concentrated on key words that were going out. And I work closely with the IT group to make sure that the correct words and phrases are being looked at because of the multiple privacy requirements that are out there on state and federal levels.
HIPAA Security Rule and Privacy Rule
In addition to technology, Haynes needs to be on the same page with the security team in complying with state and federal law, such as HIPAA and HITECH. From his perspective, healthcare’s compliance issues are similar to what he was dealing with at banks and financial services years ago. In those days, he said, there was a focus on the letter of the law and security was focused on what the regulations required.
Over time the industry adopted a more comprehensive approach to security, realizing that it’s not only about the regulation or the rules. Healthcare is similarly honing in on HIPAA and applying each rule literally, oftentimes, that’s as far as it goes. It shouldn’t be just about the rules, it should be about the intent of HIPAA, which extends to best practices and guidelines that organizations need to follow. Healthcare is also maturing at a similar pace that the financial services were when GLBA, Sarbanes-Oxley, and PCI DSS were being introduced.
The HIPAA Privacy Rule, normally handed by a compliance group or legal department, and the HIPAA Security Rule, a Security Officer may focus most of their efforts on IT, are two very distinct and different disciplines. As such, Haynes works closely with the security officer on projects, but generally concentrates on the HIPAA Privacy Rule, amongst other privacy regulations, for compliance purposes.
I used to ask myself, “why aren’t these two areas combined?” But I’ve learned that I could not be the advocate I am today if I had to balance both security and privacy requirements. Even if there is some crossover between the two, they’re both very complicated. On the privacy side, it’s different because there’s daily interaction with patients, families and our Associates. Conversations about privacy tend to gravitate towards process improvement, change in patient interactions, and other less tangible elements. On the security side, there’s more of a focus on IT systems, which on their own are extremely complex.
Haynes went on to add that because healthcare is arguably the most regulated industry, teams that are focused on delivering the best possible privacy and security for their patients and families is critically important to maintaining their trust.
With the new HIPAA audit requirements, Haynes sees a lot of organizations now understanding that auditors aren’t just looking for what HIPAA lays out for them – they are now being proactive and referencing National Institute of Standards and Technology (NIST) guides and other frameworks and models.
I’ve always focused on doing the right thing first. Applying proven and accepted privacy and security practices is critical to achieving our objective – to honor and respect the privacy of our patients, families, and Associates. Compliance falls into place when your program is built around this principle. There are some barriers to that, such as HIPAA or state law. State law for us, oftentimes, is more restrictive than federal law. We are a diverse health system. For example, we operate unlicensed and licensed facilities, which have different requirements when protecting our patient’s privacy. [The different laws] do make it more difficult.