Hospital privacy officials: Make security a proactive process

24th National HIPAA Summit: Security efforts must be ongoing, not a one-time deployment
Tools

While privacy has become increasingly top of mind for provider organizations over the past year, industry executives would be wise to focus on being more proactive about such efforts, a pair of hospital officials said Monday at the 24th National HIPAA Summit.

Rather than being an add-on to existing systems and protocols, privacy, instead, must be built in from the beginning, urged Jacki Monson, chief privacy and information security officer at California-based Sutter Health, and Morgan Vanderburg, a compliance/privacy officer at Mayo Clinic. Privacy teams must be "key stakeholders" when it comes to both decision-making and implementation of all projects, they said, noting that security is an ongoing effort, not a one-time deployment.

At Sutter, which includes 24 acute-care hospitals, Monson said that a tool was created for privacy officers at all facilities that lays out expectations as far as must-attend meetings with medical and C-suite staff. That resulted in a significant rise in the number of projects using privacy by design, from roughly 20 to more than 1,000.

One such project, she said, involved the use of Google Glass by physicians to allow them to spend more time with patients. The Glass technology connects to an offsite coder who types information about the patient during the course of the physician exam.

"We were involved right up front," she said, "making sure that we obtained the proper authorization and that we provided education to our patients" about what was going on and where their information was traveling.

Monson and Vanderburg shared four tips for organizations looking to implement privacy by design:

  1. Start small, depending on available resources: Once you've built a relationship and executives understand the true value of privacy, they will invite you to the table, they said.
  2. Illustrate the benefit to the organization.
  3. Use colleagues in the industry for examples: Don't recreate the wheel if you're a smaller organization. Leverage examples given by bigger organizations of how these efforts work, Monson said.
  4. Make sure to measure the metrics of value added: Whether you're preventing breaches or preparing the organization for a potential audit from the Health and Human Services Department's Office for Civil Rights, all of those actions add different kinds of value, Monson said. Measure what you're doing to benefit the organization.

Obtaining privacy resources can be challenging, Monson added, but if you show an organization that you're adding value, they'll usually be more open to backing an initiative.

"When I started out at Sutter Health, there was one privacy officer," she said. "I've now built that out to 39 FTEs for the privacy program, including analysts and officers.