Integrate Privacy HIPAA Guidelines into Daily Operations

1
Integrate Privacy HIPAA Guidelines into Daily
Operations
Cathy Mooney John Marshall April 23, 2005
2
Objective

• Introduce you to the challenges facing companies
  when applying HIPAA into their daily operation
• Understand how operational activities need to
  address those privacy challenges

3
Privacy Challenges

• Consumers want Personalized Service BUT dont
  want companies to have their personal information
• HIPAA says Dont Disclose BUT The Law
  requires Disclosure
• This patient falls under HIPAA BUT That patient
  does not

4
The Challenge

• Consumers want Personalized Service BUT dont
  want companies to have their personal information

5
Fundamental Concerns

• Incorrect information
• Misuse
• Lack of consent

6
Understanding Customer Privacy Concerns

• The proliferation of electronic information can
  have far reaching impact on personal privacy
• Insurability
• Employment
• Financial
• Relationships

7
The Challenge

• HIPAA says Dont Disclose BUT The Law
  requires Disclosure

8
HIPAA Competing Legal Requirements

• FDA and other laws may require the disclosure of
  PHI.
• Government investigations and court orders may
  lead to disclosure of PHI.
• PHI may be the subject of discovery in product
  liability and other litigations.

9
The Challenge

• This patient falls under HIPAA BUT That patient
  does not

10
The Privacy Maze

• United States
• HIPAA Privacy
• Individual State
• Global
• EU Data Protection
• Other
• Safe Harbor

11
Im Soooo Confused!!!

• You cant expect employees to be experts on the
  privacy laws
• BUT you can expect employees to follow the
  companys policies and procedures

12

• Creating a Culture that Integrates Privacy
• Into the Daily Operation

13
Create Policies and Procedures

• Test them out dont just write and implement
• Integrate privacy into other policies
  procedures
• Include safeguarding, training, monitoring and
  corrective actions

14
Implement Through Training

• It isnt technology that causes breachesits
  not training on the importance of safeguarding
  private data
• Dont train just once and consider your training
  done

15
Customer Service Situations

• Will have many unique situations arise as result
  of working with a variety of people external to
  the company
• If both healthcare providers and patients are
  customers, can be confusing on what can be
  disclosed to whom

16
Distribution Situations

• Will also have some unique situations working
  with people external to company
• Usually a high level of vendors that are not
  specifically healthcare focused
• Have some regulatory requirements that involve
  disclosing PHI
• More interaction with law enforcement

17
Regulatory Situations

• Complexity of how to deal within the competing
  regulations

18
So lets talk Technology

• Implementing technical safeguards means training
  on how to use those technical safeguards
• The ERP conundrum

19
Cant Be Said Enough

• Train
• Create tools to provide guidance and reference
  materials
• Dont train just once and consider training done

20
Re-enforce commitment

• Incorporate privacy in job descriptions
• Incorporate privacy in business audits
• Include consequences for breaches through
  corrective action
• Train

21
Two Heads Better than One

• Staff functions as another set of eyes for
  privacy
• Regulatory reviews
• IT lifecycles and reviews

22
But Dont Just Focus Internally

• Delegating to a third party does not relieve
  companies of responsibility
• Must have clear understanding of the privacy
  practices of our business partners
• Obligate Business Associates
• Contractual agreements with consequences

23
What If a Breach Happens?

• Be prepared
• Have a contingency or threat management plan in
  place
• Know roles responsibilities
• Have procedures in place to move and respond
  quickly

24
The Cost of a Breach

• Public relations cost
• Investigational costs
• Corrective action costs
• Business costs
• Employee morale

25
Create a Cultural Change

• Privacy in job descriptions
• Policies and procedures
• Training
• Communication
• Follow through
• Periodic Updates
• Training
• Driving accountability
• Training