- Healthcare privacy and security are inexorably linked, as the two terms are often referenced in tandem, but the need for privacy expertise shouldn’t be lost in the weeds as organizations look to beef up their security programs. Healthcare IT professionals must be able to manage patient data privacy along with their security responsibilities, not just consider privacy an ancillary duty.
Jeff Northrop, Chief Technology Officer for International Association of Privacy Professionals (IAPP), explained some of the nuances to patient privacy, the skills needed in healthcare at the moment and a new IAPP privacy certification in a Q&A with HealthITSecurity.com.
Can you provide an overview of privacy landscape?
Healthcare information privacy has to do with more than just compliance with HIPAA. Consumers are increasingly demanding privacy protections. This is a hot button issue with not only regulators but state attorney generals, for example, as they’re trying to meet consumer needs for better privacy. As organizations are extracting more uses out of data, which is both sensitive and uniquely valuable. There is a tension between the consumers that want to protect their data and those within healthcare organizations that want to maximize the use of that data, creating a need for privacy experts within an organization. They can help guide an organization through extracting maximum value while minimizing risk of upsetting consumers [with privacy concerns].
What are some qualities required of a healthcare IT professional with a privacy role?
Those at the C-level [CIOs, CISOs, etc...] are well-suited to fill this role, as they know what data is being collected, where it’s being stored, how it’s being stored, who has access to it and for what purposes they have that access. Those are exactly the items that must be understood to mitigate privacy risks. There is a unique opportunity for security professionals. Not only is this role of mitigating risk important to the overall health of the organization, which is a good place to be professionally, it’s a great opportunity for them as well. These roles often struggle for budget and attention in terms of being able to build processes within the organization. A lot of those roles end up tactical in nature and not really strategic, but privacy is one of those unique opportunities to think strategically and gain influence within an organization.
Can you help set apart some privacy skills that are unique and different than just security expertise?
Beyond just HIPAA compliance, you get into these gray areas that relate to consumer expectations. We’ve had a series of regulatory actions against organizations for incidents that surprised consumers in the way that their privacy was handled. Having an understanding of the Fair Information Privacy Principles (FIPPs) and being able to apply that to your organization while just looking at HIPAA regulations and what the audit of that compliance is telling you, but looking beyond that is critical.
Many Privacy Officers come from a law and policy-type background and they have the fundamental understanding that’s part of their training, but they struggle to understand all of the details within the security functions, as technology can get pretty complicated. On the other hand, you have these security professionals that are comfortable with all of the intricacies of securing the data and what that really means, but have trouble understanding the law and policy aspects.
Privacy requires someone to sit between those two. You could have two different people with each of those skill sets working hand in hand, or there are people who have the ability to straddle those areas and manage those issues. I think having a single person in that area not only makes you more efficient, but I think you’ll be more effective in keeping data private.
What are some details on the new IAPP certification offering?
We just announced the Certified Information Privacy Technologist (CIPT), which is specifically designed for IT security personnel to demonstrate their knowledge in privacy issues. They can prove that they have the required skills to manage privacy for their organization.
To qualify yourself for certification, you have to apply for the exam, which comes in two parts: (1) A foundation exam that serves as a base understanding of privacy issues and (2) the CIPT designation. Depending on what kind of experience you have coming into it, it could take someone as few as 20 hours of studying if they’re competent on the topics or far more if they’re new to the area. We’re not offering the exams yet, but the first exams will come out at the IAPP Academy in September in San Jose.