Culture of compliance

Communicating with leadership

Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can’t happen if privacy and security officers aren’t being heard by the board and senior leaders.

In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU’s security risks remained unaddressed until it was too late. Failure to address these risks came with a $ 2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that’s difficult to put a positive spin on.

Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.

Reaching for the top

Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.

"I think that the danger is that there was a time when privacy and security were viewed as a very specialized and somewhat insignificant compliance area," Reece Hirsch, Esq., partner at Morgan Lewis in San Francisco, says. "But now that you have hospitals that are being hit by ransomware attacks and major security breaches, I think that boards are starting to get the message and they’re receptive to having more direct contact and input from the privacy and security officers."

Privacy and security officers will want to strike while the iron is hot but this isn’t always simple, even with ransomware and multi-million dollar HIPAA settlement fines in the news. If privacy and security haven’t been on the board’s radar, the privacy or security officer might not have the experience and connections that will help him or her successfully make the case, Hirsch says.

"Sometimes, admittedly, it is a little difficult, if the board hasn’t yet engaged in the subject, for someone like a privacy or security officer to by themselves drive change in the organization," he says.

Privacy or security officers can partner with the compliance officer or general counsel, he suggests. These roles will know how to speak the language the board is used to hearing and can address privacy and security issues in a broader risk and compliance management context.

Sending the message

Privacy and security risks may be neglected by the board and senior leaders simply because they may not fully understand them, Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP, manager of Wipfli, LLP, in Eau Claire, Wisconsin, says. They may assume these are primarily IT issues that don’t require their involvement.

"This doesn’t mean they don’t care, it just means they don’t understand the scope of security and privacy or the importance of a successful program and how it’s contributing to the success of the business," he says.

Privacy officers typically have a clearer identity and importance, he says. That role often has a longer history at an organization and a clearer, recognized place in the risk and compliance equation. In contrast, the security officer often reports to the chief information officer or IT manager. In some cases, one person may be both the security officer and the IT manager, which only promotes the misconception that security is purely an IT concern, Ensenbach says.

"Security needs to be separated from IT and reporting outside of the IT department," he says. "In my opinion, the privacy and security officers should be reporting to the same person because both pertain to the handling and safeguarding of information, regardless of the format it takes."

IT and security may seem like a logical fit, but combining the roles may cause security to suffer, Ensenbach warns. "When security officers are also the person in charge of IT, the primary demand is what is perceived as being the most important by the person," he says. "It has been my experience that in these situations, IT issues will always take precedence over security."

Both are also full-time positions and will be extremely difficult for one person to manage effectively, he adds. Senior leaders should take these factors into account when organizing departments.

Smaller organizations that need to consolidate roles may be better off combining privacy and security rather than IT and security, Ensenbach suggests. The role of a dual privacy and security officer can fall in the compliance department. Compliance, privacy, and security have a natural synergy and are well-equipped to support each other.

If privacy and security are different roles handled by different members of staff, each should make an effort to work closely together, Hirsch says. Presenting a united front will help both areas and best protect PHI.

Speaking the language

Members of the board will likely have a different perspective on the organization. Privacy and security are vital issues, but nevertheless demands that must be balanced with many others.

Members of the board may often have questions about privacy and security best practices and industry standards, Hirsch says. They will often be interested in making improvements but will most likely look to make reasonable changes with an eye on the budget. Privacy and security officers should go into meetings with senior leaders with realistic expectations and try to see how their areas fit into the organization’s overall risk management efforts.

Security officers should be wary of using overly technical jargon and explanations, Ensenbach says. Information should be correct and have the appropriate level of detail but should be delivered in a way the audience can understand.

"Never, ever speak in technical terms and write like you talk," he says. "Always present yourself in a professional manner and explain problems in business terms that they can relate to."

Have at least two or three solutions to a problem under discussion and explain each in terms of risk mitigation and return on investment, he adds.

Some security officers may find resources elusive if they can’t tie programs or improvements to specific compliance points, Kurt Hagerman, chief information security officer of Armor in Richardson, Texas, says. Simply explaining a particular security method will reduce a risk won’t mean anything if the board or senior leaders don’t understand what the risk is to begin with. Although it’s incumbent upon senior leaders to learn about regulations the organization must follow, it may be difficult for individuals without a background in information security to make the connection between regulations and security upgrades. Security officers often struggle to make those connections clear, Hagerman says.

"They typically don’t understand how to convey their ideas and their needs in a way that the executives can understand and has an impact to the organization," he says.

If a security officer doesn’t understand what information leaders need to make decisions, it’s unlikely improvements will be made, he says. Some security officers may simply say an investment should be made in a new security method because it provides better security, but that doesn’t offer any context.

"Quantify that. What does better security mean? You have to start talking in terms of risk and risk reduction," Hagerman says. "Start talking about it in terms of insurance. Insurance is a conversation that executives understand."

An unaddressed security vulnerability may put an organization at risk for a certain dollar amount, but addressing the vulnerability may considerably shrink that cost. If security officers can learn to translate what they ask for into stories executives can understand, resources will be easier to come by.

However, privacy and security officers must keep in mind that organizations have many competing demands. Even if a privacy or security officer has built an excellent rapport with senior leaders and the board, not all requests will be granted. "Privacy and security officers need to accept leadership’s decisions as final and not to take decisions personally," Ensenbach says. "Accept the fact that they are paid to make the hard decisions that impact the business, not the security and privacy officers."

Setting an example

Setting the tone at the top may be a buzz phrase, but it has real value. The message that privacy and security are fundamental to all aspects of the organization, from financial to patient care, must go out from the top, Hirsch says. Staff members look to leadership for guidance on what their priorities should be. If an organization’s leaders don’t have privacy and security on their radar, it will be difficult to convince other staff that these are serious concerns.

HCPro.com – Briefings on HIPAA