Health system executives are faced with a dizzying kaleidoscope of constantly evolving privacy regulations, making compliance a full time job that spans multiple roles. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Teresa Burns, Director of Privacy Operations and Privacy Officer with Protenus, suggests strategies for staying up on what’s going down, as well as how to leverage teamwork and clear assignments to keep in compliance.
Podcast: Play in new window | Download (Duration: 34:22 — 23.6MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statement
There’s multiple levels and, at some point, you ask: which one do I comply with or how do I comply with all of them? That is frustrating, it is a challenge and it is expensive. The question would be: how do you keep on top of all of it. It’s not easy.
The problem is recently some people view agencies as overstepping their bounds and actually passing their own laws, going beyond what the agency objectives are supposed to be which is enforcing already existing laws.
In a smaller institution, you need to talk about whose job is this going to be. Because if you don’t talk about it, and you don’t assign someone, nobody is going to do it. Nobody has the time, nobody has the staff or the resources, so it has to be a discussion, and it has to be part of somebody’s KPI, somebody’s goals.
Anthony: Welcome to healthsystemsCIO’s Partner Perspective Interview Series. I’m Anthony Guerra, Founder and Editor-in-Chief. Today, we’re talking with Teresa Burns, Director of Privacy Operations and Privacy Officer with Protenus. Teresa, thanks for joining me today.
Teresa: Thank you for having me. I appreciate the opportunity to be here.
Anthony: Do you want to start off by telling me a little bit about your organization and your role.
Teresa: I am the Chief Privacy Officer for Protenus. Protenus is a compliance data analytics company that works with large and small health systems and hospitals to monitor accesses to patient records. We also have a drug diversion product where we assist hospitals with monitoring the flow of regulated drugs through their system. The company has been in business for 10 years. I have been with the company as their Privacy Officer for 6 years.
Anthony: You were with Johns Hopkins, correct?
Teresa: I was previously with Johns Hopkins as the Deputy Privacy Officer.
Anthony: You did that for a while?
Teresa: I did that for approximately 9 years. I was with Johns Hopkins for a total of 13 years where I did some work related to contracting, purchase of medical equipment and lab and pathology services.
Anthony: I did an interview recently and the CIO on the call expressed a lot of frustration with all the different privacy laws and how difficult it is to stay on top of everything and stay in compliance. Let’s talk about that dynamic.
Teresa: Okay.
Anthony: A lot of health systems now span multiple states. As a CIO, you could be in one state, you could be in multiple states, you could be in half the country. But you have to make sure you’re in compliance not just with the laws of the state you’re in but any state you’re operating in, and then pretty much every state. Because you could have a patient come from California or Chicago where the privacy laws are quite distinct and specific.
Teresa: That frustration is shared by many, not just CIOs but anyone who is working in healthcare compliance whether it’s from the security or privacy side. The main law was HIPAA and then in the last 5 years or so we saw other laws passed, many other federal and state agencies getting involved in putting their stamp on what they think the privacy regulations should be. Any time you have multiple, layered regulations, you have complexities and confusion and increased cost to comply.
Right now, obviously, we still have HIPAA and we have HITECH which are the federal laws. There is a push to pass a federal healthcare privacy law that would work with HIPAA but would be a standalone law. The American Privacy Rights Act is also being introduced. It’s not just healthcare, it’s all privacy related laws. They are getting some pushback and we fully expected it. This has been attempted in the past and always failed. There was hope that this year there would be more of an opportunity for success in Congress because there was a bipartisan effort when the bill was introduced.
However, it has not proceeded through committee. We do have a law that will change things on a federal level. At the state level we have 19 states that have enacted privacy laws. Many of them are consumer based laws but they also weaved their way into some healthcare requirements. There are 6 other states that have pending bills. You can see how many states have jumped on the bandwagon to pass their own regulations.
You also have regulations by the FTC that we have to comply with. You have CISA which is the Cybersecurity Infrastructure Agency which has its own set of guidelines and regulations.
There’s multiple levels and at some point, you ask which one do I comply with or how do I comply with all of them? That is frustrating, it is a challenge and it is expensive. The question would be how do you keep on top of all of it. It’s not easy.
It’s important to network with other healthcare organizations that follow things closer. I know the American Hospital Association is very active in following these different regulations and laws and even objecting to certain regulations, and submitting formal written opinions and requests. There was even a lawsuit filed by AHA against HHS. There are agencies that assist with following these regulations, standing up for the healthcare profession.
CHIME is another agency that is very good at advocating for healthcare agencies that don’t have the resources to follow all the laws or make objections.
Anthony: Can you make a distinction between laws and regulations passed by agencies?
Teresa: Yes. A law is something that’s enacted by a legislative body. Unless it’s overturned, it’s official. The regulations are tasked with enforcing those laws. A regulation explains the law, “this is the way you comply with the law, this is the way we as the agency and tasked with enforcing the law, this is how we see that everyone out there needs to comply with this law.”
The problem is recently some people view agencies as overstepping their bounds and actually passing their own laws, going beyond what the agency objectives are supposed to be which is enforcing already existing laws.
A regulation is supposed to guide you on how you are supposed to be in compliance with the law. The agencies are not supposed to be passing the laws. There is a difference and there has been pushback as we’ve seen with the recent Supreme Court ruling. They want to reign in some of these agencies, particularly federal agencies. That’s what that ruling was. But you probably see it just as much on the state level. You get on a roll with these agencies and they just keep going and going with the different levels of rules, regulations, laws, whatever you want to call it, that makes it more complex. Because then you don’t really know what the law says, but now the agency says this. What am I supposed to do here?
Anthony: Let’s talk about what people are obliged to comply with. Let’s say you’re a health system that operates in a certain state or certain number of states, and you get a patient from California. Are you under an obligation to comply with California state laws if you don’t operate in California, you just happen to have a patient come who lives in California?
Teresa: If you are a California regulatory body, you’re going to say yes, right? If you are probably a state of Maryland agency that does not operate in California, you’re probably going to say no. Unfortunately, there is no clear answer and hospitals and health systems have been left to make their own decision internally on what their policies are because there are two different paths of thinking.
If you have an organization that does business in only one state and the patients are coming to them, there’s a colorable argument that you only have to comply with the state where you are operating. Those individuals are coming to you for care, the care is being given in that state, the medical records are residing in that state and those are the state laws that comply. There’s a colorable argument for that. But there’s probably just as much an argument on the flipside, where if you are encouraging people to come to you for care, they live in another state, they are subject to their state’s laws and you should be complying with those laws as well.
I don’t know that there’s a right answer but I think what’s important is an institution needs to make a decision, needs to have documented policies and procedures and needs to be consistent with how they handle that question. An example is if a very large academic medical center pulls patients from not only all over the country but all over the world, you might have a difficult argument by only complying with state laws because you are enveloping all the country and beyond.
Most institutions have made the decision from the standpoint of breach notification laws, leaning towards responding to the patient’s home state requirements. Just to be on the safe side, that’s what they do. They would send a breach notification that complies with California law as opposed to just Illinois law or New York law or Maryland law. Whatever decision an institution makes, it has to be founded on sound decisions, be consistent with policies supporting the decision.
Anthony: It’s almost like what is reasonable. If we’re a health system or a hospital and we operate in one state, we’re fairly small, I can’t imagine worrying about what’s going on in the other 49 states. But if I’m a large health system and I’m in 15, 20 states, well…
Teresa: That’s a different story. Not only that but if your institution has clinics in other states, then clearly you’re going to be subject to that state’s laws because you’re operating within that state. The question I think is a little more clouded when you’re only physically in one state, all the care is being provided in one state and all the records are maintained in one state. Then, you might have more of an argument that you only have to comply with your state’s laws. But again, there are individuals who disagree with that and to be on the safe side, they would say wherever that patient is from, we’re going to comply with that state’s laws as well.
Anthony: Again, I try and put myself in a position of a CIO or CISO at a health system. I’m busy and I probably have somebody who is heading this up at the health system, compliance, privacy, certainly legal. How does the responsibility break down? Do I sit there as a technology executive and say “well, my Privacy Officer will bring things to my attention that we need to be in compliance with and then I will figure out how to do that. But I am not going to worry about deeply following privacy laws because it’s not what I do.”
Teresa: Right.
Anthony: “I’m in technology.“ I’m going to leverage or rely upon that person and you can get into sort of the different roles and how they work together when we talk about, legal privacy, compliance. What do you think is the best dynamic there? I don’t think we can expect the technology executives to be deeply following privacy regulations, right?
Teresa: I would agree with that. Your technology and security specialist better be up to date on the security requirements. That’s their job. When it comes to privacy and other compliance components you will be relying on others in your institution to follow those regulations and laws. The complication comes into play because all of these laws are interconnecting in some fashion. If you are a larger institution and you have a dedicated legal department, you should definitely have an open dialogue with someone in your legal department who is in the regulatory affairs sub-department or has the responsibility to track new legislation.
There should be an open dialogue and regular communications. That’s true for the privacy officials as well. Not all privacy officers monitor new regulations. If they have a large institution with a legal department, it’s usually the legal department or the regulatory affairs department who is following all of that legislation, and that’s their job. They follow state, local and federal laws, and then communicate what is new and what needs to be done.
If you’re a smaller organization, that’s where it becomes more challenging. If you don’t have a regulatory affairs office or a large legal department, someone has to take responsibility. That’s going to be a dialogue among the different leaders, the executive team, the leadership team, who is going to have the responsibility to monitor regulation and who is going to have the responsibility to communicate the changes and new laws to the other leaders.
It’s a challenge especially when we have so much happening in the legislative world map. Every day you read about a new guidance, a new regulation, a new proposed law that’s being tracked through the legislative process. When something gets passed, there’s usually a rule-making time period where you can make comments. There’s an enforcement date. Somebody needs to be tracking all of that. It’s very complicated and it’s time consuming.
In a smaller institution, you need to talk about whose job is this going to be. Because if you don’t talk about it and you don’t assign someone, nobody is going to do it. Nobody has the time, nobody has the staff or the resources so it has to be a discussion and it has to be part of somebody’s KPI, somebody’s goals. It may not be the CIO’s, it might be the Privacy Officer or maybe they each take a piece of it. But somebody needs to be tracking that somehow.
The other option is to have outside counsel or an outside consultant. Hire a vendor who tracks legislation across the country at the state and federal levels. They provide regular reports and decisions are made whether this applies to our institution or not, and how are we going to put this into play if it does. Some health systems or hospitals or small practices have to rely on external resources.
Anthony: It makes perfect sense. You’re making excellent points. It’s almost like you have to figure out based on your size and where you operate, what’s reasonable and what your approach is going to be. You might do that using resources internally, that type of analysis and decision making where you might bring in a third party to help you with that analysis and rendering opinion based on what we do and where we operate and the laws, what do you think is reasonable? What do you recommend?
Teresa: Right.
Anthony: Then you talked about possibly that constant monitoring and a report being generated by a third party, if you can’t do that internally. Brilliant, absolutely makes sense. You have to realize how important this is, first off. You have to realize the implications and you don’t want any of those letters saying you’re out of compliance and you’re being investigated. That’s the last thing you want.
Teresa: Right. But I will also say this, not every law or regulation applies to every institution’s business operation. You have to look at that as well. Just because the federal government or the state government passes some regulation or new law doesn’t mean it applies to you and what you’re doing. You need to take a step back and read the regulation, read the law and determine if it is geared toward what I’m doing and how I’m doing it. Sometimes you might need a little bit of assistance with that. Again, you might want to get an opinion from outside counsel. Does that this law apply to my company?
This is probably more important for those business associates that are working with covered entities, the vendors, like Protenus. Sometimes, regulations are passed and they don’t necessarily apply to the type of work we’re offering covered entities. The rush to change your internal processes and your policies and put more resources on things, sometimes is misplaced. You have to take a step back and make sure you understand what the law says and what the regulation is geared towards and make sure it applies to your business.
Anthony: You mentioned some regulations or laws that were passed that seemed to generally deal with consumers but may have implications or may affect health systems. As you said, that’s going to require some analysis.
Teresa: Yes.
Anthony: I just can’t picture that being a good use of an IT professional’s time.
Teresa: As you said, some of these regulations are 300 pages, 600 pages, a thousand. I’m sure there are people that would say “no, you’ve got to read every word.” Well, knock yourself out. That’s not me.
But someone who’s trained in technology and security and the things I’m not trained in, they don’t necessarily understand rule making and legislative analysis and what the law or guidance really means. I wouldn’t expect them to and they’re working with limited resources. Sometimes, you have to spend a little bit of money to get the right opinion. That’s why engaging outside counsel to give you an opinion. Or again, if you’re fortunate enough to have a regulatory affairs department or a legal department that’s large enough, you can get a written opinion from them.
Anthony: Absolutely great. I want to talk a little bit more about the communication between key players in the health system. We talked about the progression to decide your strategy based on legal opinions and what you feel is reasonable in terms of what you need to be monitoring. Obviously, all the federal agencies, these are all the things we decided we need to monitor.
Now, that’s going to be assigned as you mentioned and I love the specificity you bring to understanding roles because if it’s everybody’s role, it’s nobody’s role. Whose role is it to monitor these things? Now, that individual monitoring these things maybe a privacy expert, understanding regulations and legal, and be able to render an opinion but they’re not an IT expert. Therefore, if they don’t share with the IT executive, they may not share because they don’t realize there’s IT implications…
When it does finally get to IT, they say “we’re going to have to do so many things differently, I wish I’d seen this earlier or no, we’re good. There’s no IT implications of this privacy change, we’re good.” That’s why that communication has to happen because the person absorbing and analyzing is not an IT expert, right, so they need to communicate.
Teresa: Exactly. When I see a new regulation or enforcement action or law and I read it and it gets into cybersecurity specificities or the security rules specificities, I consult with our CISO who is also our Chief Technology Officer. We have a conversation about what it means and I will share that portion of the written documentations so he can read it for himself. Many times he says “yeah, we’re good, we’re already doing this. Oh well, see, I read it and I didn’t know.” Because that’s not my area of expertise.
I’ve learned over the years, certain things that I can read and say “oh, I know we’re doing that because I’ve been told by our CISO before, we’re good.” If I read something new I will let him know about it if I don’t know. You have to be willing to say that I don’t know and not be embarrassed. I was not trained in technology. While I know some of the buzz words and I understand what my company does and how we do it, that still doesn’t make me the expert. I have to be willing to share with the individual who is the security expert or the IT expert, and not be embarrassed. That person doesn’t have the same knowledge or background that I have in interpreting the privacy regulations so it’s a fair trade-off.
Anthony: Great point. You also don’t want a reverse situation where a privacy expert assumes the CIO or CISO is looking at it. Communication is key.
Teresa: Absolutely. As we know, the HIPAA laws have a privacy rule, a security rule, an enforcement rule and then you have HITECH and some of that is security based. I look at it as a whole. When there are proposals to change something in the security rule, I read that and understand it. But I share that with my CISO. If it’s just the privacy rule piece of it or the enforcement rule, I know that’s not his area of expertise and he doesn’t have to worry about compliance with that.
But the security rule part really is his area of expertise and he has to comply with that. So although I make sure I understand it because I’m the HIPAA person, I share that with him, anything to do with cybersecurity changes, guidance that might change the way we are doing our audits. That’s his world.
Anthony: When we’re dealing with people that are essentially on the same level at the org chart, like a Chief Privacy Officer and a Chief Information Officer, I assume these are generally at the same level, nobody is telling anyone what to do, nobody is dictating, nobody is ordering. It’s a discussion, right?
Teresa: I think that’s true in a small organization like Protenus. When you get into a mega organization where you have large departments with big budgets and lots of staff, things may fall through the cracks and that’s why it’s important that the leadership of those departments regularly meet, regularly communicate, whether it’s quarterly, twice a year, monthly, however they decide they need to do it. Those are the individuals that need to leave those lines of communication open and make sure that they’re all on the same page about who is doing what, whose responsibility is what.
Departments in large organizations will become focused on what they’re doing and only what they’re doing and forget that there’s an other world with multiple departments. It’s easier when you’re smaller because you’re together all the time. In the large organizations, it’s very departmentalized and that creates its own challenges.
Anthony: What is your final piece of advice for the CIOs and the CISOs regarding privacy?
Teresa: Make sure you talk with your privacy officers, your legal departments, you regulatory affair departments and with one another because sometimes tech and security are separate departments. IT and security maybe separate departments. You have to communicate. You have to be talking, meeting, discussing, setting new policies, updating policies. If you don’t have those lines of communication open, nothing will get done and then you will have an event that is devastating or a regulator will visit which is also devastating.
Anthony: You don’t want that letter from the OCR, right. Is that who would usually you get the letter from?
Teresa: No, it could be from the FTC. It could be from CISA. It could be from HHS and it could be from a state agency.
Anthony: You don’t want any of those letters.
Teresa: Attorney general’s office. Yeah, I’ve been on the receiving side of some – not at Protenus, where I worked before and you deal with it. You just take a deep breath and you deal with it. But if you can avoid it, that’s the best course to take.
Anthony: I think that’s the best piece of advice to leave us on today. Teresa, thank you so much for your time. I really appreciate it.
Teresa: Thank you for the opportunity. I appreciate it. Thank you.
Share Your Thoughts
You must be logged in to post a comment.