Last week I had the opportunity to bring together many perspectives in the incident response management process and discuss our shared challenges, our best practices, and how we can better work in unison.
In a 3-hour panel presentation during the 2017 HCCA Compliance Institute, I was joined by three great panelists offering a variety of perspectives:
- Patricia Shea, Partner at K&L Gates presented the roles and interest of outside counsel when it comes to compliance with HIPAA
- Laura Merten, Chief Privacy Officer at Advocate Health Care, represented the role of a chief privacy officer of an integrated delivery system, with 13 hospitals and over 300 locations
- Asra Ali, Compliance and Risk Manager at Healthscape Advisors brought her depth of knowledge as a consultant with hands-on experience to share real world scenarios she has experienced firsthand
Shared Perspectives: Aligning HIPAA Frameworks and Internal Privacy Policies with Technology to Operationalize Incident Response
Patricia Shea kicked off our panel with a dive into the basic framework and compliance tips for navigating HIPAA. The HIPAA landscape can be complex, evolving, and require constant attention – Patricia described the torment that can be navigating this complexity. She provided some guidelines to ease this stress, including:
- Knowing the core terms essential to HIPAA compliance (PHI, PII, covered entity, business associates, breach vs. incident, etc)
- Knowing who the key players are in your incident response team
- Knowing the “golden rule” for HIPAA compliance – You may not use or disclose PHI unless HIPAA permits or requires you to do so
Building on this framework, Laura Merten brought a valuable in-house perspective to privacy frameworks, sharing the work she and her team have done to build a culture of privacy at Advocate Health Care. She discussed the need to build cross-functional support in incident response, the tools she uses to operationalize her framework, and the ways her team is continuously revising and improving on their program controls, policies, and procedures. Hearing the scope of Laura’s work at Advocate, and the number of committees and responsibilities on her shoulders, illustrated to me the heavy burden on privacy and compliance professionals. This is an important and difficult role to take on, often compounded by the pain of manual processes.
After Laura covered the ways real privacy teams are working within an organization, the stage was turned over to Asra to discuss the very real challenges these teams face in the field. Using her experience as a consultant and history of working in-house, Asra gave a number of real-world examples of PHI incident investigations and the nuances in making a breach determination, including trending issues such as OCR’s recent guidance on ransomware. Here, Asra mentioned the value of using an incident intake form to bring consistency to the incident reporting process – in what information is documented, =how the incidents are reported, and how these incidents can then be prioritized for follow up.
Wrapping up our presentation, I spoke about the ways automation and technology can operationalize incident response, drawing examples from trends in changing data breach laws and the anonymized metadata from incidents documented in the RADAR platform that reveal common misconceptions in incident response.