HIPAA Privacy & Security Compliance: 'We Don’t Need A Chief Privacy Officer'

Implementing a privacy and security program can be just as important to any healthcare practice as having a medical malpractice liability insurance policy. But security and privacy programs don’t just materialize out of thin air. To implement a functioning and effective privacy and security program, somebody within the organization must perform specific related tasks. In many practices, physicians are appointed to serve as the chief privacy officer (CPO) and the chief security officer (CSO). In other practices, the CPO and CSO duties may be assigned to senior staff members — often an office manager or program director who is already conducting high-level oversight of the business. (Larger organizations may be fortunate enough to have CPOs and CSOs who are solely able to focus on these job functions without having to worry about other day-to-day tasks — this is the exception to the rule, however.)  

In most practices, the CPO and/or CSO performs many other daily duties, potentially causing the most important of CPO and CSO functions down the list of daily responsibilities. In order for the roles to function to their highest potential, privacy and security officers should be permitted enough time to carry out their inherent duties, such as developing and implementing policies designed to protect employee and customer data from unauthorized access and ensuring the organization’s security needs and requirements are being met from a physical digital perspective. This article will discuss how a CPO should be staffed, trained, and put in position to be a valuable commodity to any healthcare business. (A future column will discuss the same for the CSO function.)  

Establishing The Appropriate Authority
Even more importantly than having the appropriate amount of time to focus on the appropriate level of work, privacy and security officers must be given the authority to implement required policies, procedures, and practices. All too often, the individuals who serve these roles are lacking the needed authority to serve them effectively. Particularly in smaller practices, it is not uncommon for a physician to be named as the CPO only to delegate the daily responsibilities to another individual. In this case, the physician essentially remains the CPO “on paper.” Regardless of whether the individual conducting the day-to-day privacy responsibilities is the actual CPO or a subordinate, the most important aspect here is that the CPO does not find himself or herself constantly overruled or second-guessed by anyone else. When this occurs, practices are more likely to face privacy problems.

Practice Functions That The CPO Can Impact 
Generally speaking, the more that you have that is worth protecting, the more you need a CPO. A legitimate CPO should set the privacy strategy within an organization; navigate the complex and changing landscape of regulatory privacy; and, perhaps above all, advocate for patients in keeping their protected health information (PHI) private, safe, and secure. The most important responsibilities for the CPO is to be the patient’s advocate inside the practice and to determine what is PHI (it, in fact, should include personally identifiable information [PII] amongst the volumes of information that the practice holds in its possession, to ensure the protection of data (and decide what should not be retained), and to maintain all of the information needed by the practice for treatment, payment, and/or operations.¹ What follows is a list of four important ways that a qualified CPO can impact any healthcare business. 

1. Privacy regulations

Handling PHI comes with the responsibility to protect the client and the practice. Ensuring that patient and practice information remains private as defined in the relevant regulations is paramount. To accomplish this, the CPO must have a high level of familiarity with privacy (and security) regulations. Given the large and growing number of privacy laws at both the federal and state levels, and in some circumstances international regulations,² it is very important for practices to hire someone to help steer their efforts to adhere to these regulations and ensure transparent data practices. The legal risk of noncompliance with various international, federal, and state regulations (all of which have specific requirements concerning notice and transparency, collection, use, storage, processing, and return of data) and incident management is too severe to ignore or minimalize. Additionally, the requirements are not self-evident, and the penalties related to privacy (and security) violations are steep. Along with the financial consequences, the reputational consequences can cast even more of a negative impact on the practice. HIPAA regulations provide practices with yet another reason to hire a qualified CPO: You are legally required to do so. The regulation mandates that all covered entities (CEs)³ — if you are reading this your practice is most likely classified as a CE — have a CPO in place. The risks will never outweigh the benefits (or gamble) of not hiring a qualified CPO. 

2. Data breaches

A practice’s brand can diminish overnight with the failure of one’s privacy program and miss potential revenue streams by not being compliant, along with a variety of other “soft” costs associated with a breach. According to research, when a data breach occurs, fines and penalties account for only about 35% of the total cost of the breach. To the practice, the other 65% of the expenses of a breach are contained in these “soft” costs, such as employee trust. There has been no shortage of headline-making, high-profile data breaches over the last several years. In July, reports of a data breach at UnityPoint Health, West Des Moines, IA, compromised 1.4 million records.⁴ It was reportedly the second such incident for the organization in a year’s time and is said to be the biggest health data breach of 2018 to date.⁴ Hackers breached one of the largest clinical laboratories over a July weekend at LabCorp Diagnostics, impacting 115 million patient records and forcing a shutdown of the network to contain the cyberattack.⁵ When these types of unfortunate occurrences arise, it is the CPO who would take the lead in developing strategies to support how PHI (and PII) is protected and in working with management on the technical and business issues that must be addressed.

3. Public relations 

Having a proactive strategy in place to protect against a security breach can also safeguard the practice’s brand reputation. At the very least, the CPO can work to diminish any negative effects of a breach that could come into play related to an organization’s public image, as well as any lingering trust issues that employees may have related to a breach. In some ways, a communications strategy can be as critical as creating a strategy to avoid future privacy incidents. A 2017 study found that reputational harm from a breach was evidenced by 31% of consumers saying they discontinued their relationships with the breached entity, while 65% said they lost trust in the organization after being affected by one or more breaches.⁶ The average losses reported by organizations with a low customer loss rate (below 2%) was $2.67 million. A customer loss rate of 5% resulted in average revenue losses of $3.94 million.⁶ (Note that this study involved larger healthcare organizations, but the message should be significant for practices of any size.)

4. Lost profits or interrupted operations

Lacking a well-defined and well-managed privacy program without a dedicated person to address, deploy, and manage that program will result in missed revenue opportunities and lead to revenue loss — sometimes to a crippling degree. On an annualized basis, business disruption accounts for 39% of total external costs, which includes costs associated with business process failures and lost employee productivity.⁷ 

Finding The Best CPO

Knowing how the CPO can serve the organization’s present and future needs is only half the conversation. Let us now discuss the obvious question: What are the talents and skills that should be considered when choosing the best CPO? To reiterate, today’s technological changes and advancements have placed new demands on any healthcare practice. From electronic health records (EHRs) and various mobile innovations to the rapid growth of interconnected networks, privacy has been pushed into a priority issue. Again, the first line of defense lies within a well-qualified CPO. The ideal CPO should have experience in providing counsel on the development of privacy practices and policies, patient confidentiality, data security, and training employees on privacy issues. A CPO should have a breadth of general knowledge in regulatory privacy, human resources, and technology, with specific knowledge of the relevant regulations at the federal level. What follows is a listing of five core skills to look for in a CPO candidate:

1. Privacy specialization. A detail-oriented mind with a background in reading regulatory language or human resources help to provide a solid foundation for any CPO. Further training in privacy, such as a certification in information management from the International Association of Privacy Professionals will help ensure the CPO can establish a framework for privacy along with the requisite protocol. Experience as an advisor to companies that are likely to impact leading-edge privacy work, such as cloud computing, is also a positive.

2. Future-focused. The CPO must remain current on developments in technological innovation, pending legislation, and other early indicators of what the privacy landscape may resemble in the near and long-term future. Given the increasing privacy issues related to EHRs, mobile devices, and medical devices, having hands-on experience with an assortment of technology and the ability to view a company’s products and services through the lens of the privacy-aware customer is essential.

3. Risk awareness. The CPO should be involved with advising and coordinating internal and external media efforts for instances in which there is a data breach. The individual should also have experience in providing guidance on proactive marketing related to privacy commitment, which can help promote competitive advantages while addressing patient and other stakeholder concerns as they arise. The CPO should also be an integral participant in the practice’s routine privacy risk assessments, collaborating with the security team on internal processes to ensure appropriate standards are in place.

4. Transparent communicator. Many privacy policies are poorly written and often ignored by practice members because they obscure the practice’s privacy program in legalese. The CPO should know that a successful privacy program needs to be transparent, including communication among the practice’s workforce about strategic objectives and how those objectives relate to privacy issues, as well as the risks that a practice can face.

5. Being empathetic. Patients value privacy differently, and a reliable CPO should be capable of understanding differing values across a range of perspectives. The ability to balance the practice’s business objectives while interpreting the privacy concerns of patients is fundamental. Many mistakes are made when practices assume their employees, managers, and patients share a common understanding of what privacy means. A valuable CPO ultimately integrates an understanding of privacy into the practice’s culture.
 

Summary
Incorporating a well-trained CPO into any healthcare practice demonstrates the organization is aware of the complexities that practices within this industry face due to rapidly changing technology. Retaining a CPO is not only an investment for a successful, profitable practice, it also signals a willingness to embrace these complexities and prepare for the future while reinforcing a message of respect for patients’ privacy. A qualified CPO helps to build trust with patients as well. Whenever a new position emerges at the C-suite level, administrators can be certain that a substantial debate about exactly what the role encompasses, and which skills are crucial for meeting an organization’s needs, will follow. The title of CPO should be among those conversations. 

Roger Shindell is chief executive officer of Carosh. He is also chairman of the HIMSS Risk Assessment Work Group and is a member of AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com.

References

1. Code of federal regulations. 45 164.506 - uses and disclosures to carry out treatment, payment, or health care operations. Legal Information Institute. 2018. Accessed online: www.law.cornell.edu/cfr/text/45/164.506

2. General data protection regulation. GDPR. 2018. Accessed online: https://eugdpr.org

3. Code of federal regulations. 45 160.103 – Definitions. Legal Information Institute. 2018. Accessed online: www.law.cornell.edu/cfr/text/45/164.506

4. Davis J. 1.4 million patient records breached in unitypoint health phishing attack. Healthcare IT News. 2018. Accessed online: www.healthcareitnews.com/news/14-million-patient-records-breached-unitypoint-health-phishing-attack

5. Davis J. LabCorp goes down after network breach, putting millions of patient records at risk. Healthcare IT News. 2018. Accessed online: www.healthcareitnews.com/news/labcorp-goes-down-after-network-breach-putting-millions-patient-records-risk

6. Ponemon study reveals impact of data breaches on organizations’ reputation. HIPAA Journal. 2017. Accessed online: www.hipaajournal.com/ponemon-study-reveals-impact-data-breaches-organizations-reputation-8846

7. 2015 cost of cyber crime study: global. Ponemon Institute. 2015. Accessed online: www.cnmeonline.com/myresources/hpe/docs/HPE_SIEM_Analyst_Report_-_2015_Cost_of_Cyber_Crime_Study_-_Global.pdf