Privacy professionals say some low-tech tactics—such as better communication, basic workforce education and breach simulations—can help covered entities significantly as they struggle with the multiple issues involved with HIPAA data privacy and security.
In a panel discussion held this month at the annual HIPAA Summit in Washington, D.C., seven top HIPAA privacy experts offered a wide variety of tips and advice on topics ranging from new technology to breach cleanup.
Still, the panelists noted that even as the conversation surrounding privacy gets technical, the experts need to remember that patients’ wishes underlie the entire topic. “There are two sides to HIPAA privacy. One is obviously the compliance side. The other is the personal patient side,” said Anne Kimbol, assistant general counsel and chief privacy officer at HITRUST and former general counsel for Texas Health Services Authority.
Kimbol said she always considers what she calls the “creepy” test, which involves considering whether a patient would consider what you’re doing with their data creepy. In this case, she said, there are two questions to answer: “Does HIPAA let me do it? Does my conscience let me do it?”
Elizabeth Delahoussaye, chief privacy officer at Ciox Health in Alpharetta, Georgia, told conference attendees that HIPAA professionals frequently talk about the number of records that were breached. “Well, it was patients that were breached,” she said. “I agree, yes, they are records, but that was an individual’s information.”
Medical staff members and others in health care organizations aren’t always thinking about the patient, said Angela Alton, vice president and privacy officer at Ann & Robert H. Lurie Children’s Hospital of Chicago, and former deputy chief privacy officer, Bay Area, for Sutter Health.
“I think reminding and bringing back your staff to the basics of what they’re required to do and how some of the things that they develop may actually be saving them time but violating a patient’s rights as to how the information is used and where it goes” is important, Alton said. “And I think many times our staff are not necessarily thinking about the patient. They’re thinking about it from a data perspective.”
Erika Riethmiller, chief privacy officer and senior director of privacy strategy at University of Colorado Health, and former director of corporate privacy for Anthem Inc., added: “I think if we always keep the patients in mind and in our focus and continue to listen to them and be responsive to them, we’re going to achieve all those things we’ve heard about as far as interoperability and better patient care.”