Reece Hirsch, a partner at Sonnenschein Nath and Rosenthal (San Francisco), is a healthcare law regulatory and transactional expert. He has expertise in data privacy and security issues in the healthcare industry, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act. He has advised clients from virtually all sectors of the healthcare industry on privacy and security compliance matters, from development of policies and procedures to structuring of health information technology ventures.
HCI’s editor-in-chief Anthony Guerra had a chance to talk with Hirsch about the security and privacy issues facing healthcare institutions today – and how CIOs can make sure their organizations are prepared in the event of a security breach.
AG: Tell me a little bit about what you do in your position, and the sorts of issues that you deal with every day, and who you're working with in terms of customers or the people you're servicing.
RH: My clients cover a variety of sectors in the healthcare industry. I have hospital clients, I have health plan and insurance clients, and I work with physician practices, particularly larger ones. Occasionally I work with national pharmacy chains and national retailers that have privacy and security issues. I also work on privacy issues with organizations beyond the healthcare industry, such as retailers, and with a number of healthcare technology companies, such as application service providers.
AG: Who from the hospital typically approaches you and what kind of services are they looking for?
RH: Usually I’ll work with someone in the compliance or legal department if it’s a larger hospital because they have in-house counsel. First of all, I’m part of one of the larger healthcare practices in the country, and we advise hospitals on all kinds of regulatory and reimbursement issues. But for your purposes here, we’ll focus on the privacy and security work. Often, if an organization has in-house privacy expertise, they’ll be calling on me to answer some of the more complicated questions, such as the gray areas of HIPAA compliance, where they want to know if a particular practice is consistent with HIPAA and state medical privacy law. Sometimes it will involve reviewing and negotiating contracts that have privacy and security related provisions.
I also work with hospitals and other healthcare providers in developing some of these cutting edge healthcare information exchanges. For example, I was counsel to the Santa Barbara County Care Data Exchange, which was a pioneering RHIO project, which ultimately failed. It demonstrated some of the complications that RHIOs are going to face.
AG: What were some of the privacy issues that came up with the RHIO that you previously mentioned, which may have contributed to the problems that it had?
RH: I can’t name the client, however, I touched upon it a little bit in a couple of blog posts I did about RHIO regulatory challenges, part 1 and part 2. There are all kinds of state medical privacy laws that impose greater restrictions on certain categories of data, and it’s difficult to manage, and to keep those categories of information out of the RHIO. On the other hand, if they're in, then there are regulatory concerns because whenever you hear those categories of information, you usually have to get specific consent from the patient. So there are issues around how you manage to keep that information out of a RHIO, and if it does go in, how you manage the consents that are required for sharing it.
In the broader picture, there was a lot of concern about what the liability risks are if the RHIO structure is inappropriate, or has a security breach, or allows for disclosures that violate HIPAA. What are the liabilities, and how do the parties to the RHIO allocate those liabilities through indemnification provisions?
Ultimately, when you're forming a RHIO, you have to assess those risks and if you don’t see enough business upside to balance out those risks, you don’t go forward. That was one of the problems in Santa Barbara.
AG: You mentioned the compliance officers, what are you seeing out there in terms of the relationship that exists between a chief compliance officer and a chief information officer at a hospital?
RH: In smaller hospitals, you’ll often have one person who is their compliance officer, their privacy officer, and their security officer. And under HIPAA, you're required to have a designated privacy officer and security officer, although they could be the same individual. In a bigger organization, you’ll often see those roles splitting out. Sometimes compliance and privacy will be combined because privacy is essentially a legal and regulatory driven discipline. So often the same person is suited to compliance and privacy. But you’ll also see security broken out into a separate position because it requires that he/she have a different skill set, and a better understanding of the technical security issues.
AG: Do you see a best practice in that area? Let’s focus on the larger organizations where you see things split out. Are there any sort of best practices in terms of the overall organizational chart for a hospital where you want formal relationships established between a compliance officer and an information officer?
RH: Yes, I think probably the best practice in a larger organization is to have a separate security officer. But I think it’s important that the security officer communicate well and have a close working relationship with any privacy officer or compliance officer in the organization, because the technical requirements of security issues can't be viewed in isolation; it needs to be part of a bigger compliance program. You need to make sure that the legal and regulatory overlay is being placed in the same way the security processes are being developed.
Sometimes you’ll see an IT oriented security officer who thinks in terms of what their wish list is for getting new technologies and new measures in place. Often, there is tension because what is specified in the security related laws and regulations are much vaguer. So there is tension between what the law require and what security professionals view as best practice.
AG: A number of your posts have been around different leaks and breaches of information … laptops going missing, people hacking into systems. It seems to me that there has recently been a flood of information about privacy breaches; do you feel the same way and is there any sort of common thread that’s going through these kind of leaks?
RH: Definitely. To back up a minute, that’s another area where I get called on regularly by all sectors of the healthcare industry, whether it’s hospitals, or technology companies or health plans, they're all experiencing it … if you're large enough, you're experiencing incidents that qualify as security breaches. It’s almost unavoidable. The most typical situation is the theft of a laptop that contains social security numbers.
Organizations are facing those issues on a very regular basis now, and that’s part of what I do as well… advising them on what's the best incident response plan, what are the legal requirements under the various state laws that come into play. Because if you have a database that includes information from patients or people from multiple states, 40 states, you may have to do a very quick overview of all those different state security breach notification laws to figure out what the exact requirements are for the response.
AG: At the “Reader Advisory Board at HIMSS,” one of the things that came up was fear – almost as though organizations were waiting for the other shoe to drop. They were concerned about their data – some of these huge organizations, where they have data in God knows how many places, are really concerned about getting their arms around everything before they wind up in the news. Do you see that, and what is an approach that CIOs of these large organizations can take?
RH: I think that’s something I work on with my clients a great deal. I think the organizations that wind up looking bad in the press around these incidents are those that don’t have an incident response plan in place in advance that reflects best practices. A lot of the largest security breach incidents have led to class action lawsuits and regulatory action from a state attorney general or other regulators. And the question that regulators will ask in a lawsuit is “Did the organization act reasonably?”
The best way that you can show that you did the best you could, and you addressed these issues in a reasonable fashion is to have a formal incident response plan that you have developed, and that gives you the ability to respond quickly when these incidents occur. You need to recognize them when they occur, because the timeframe for notification is very short under these laws, so that identity theft can be prevented through corrective action. And if you have a good plan in place, then you're able to move quickly and address these sorts of concerns.
AG: What do you think the CIO’s role is in either developing or being a part of that incident response plan?
RH: Certainly there should be an incident response team that involves all the departments that come into play in a security breach, whether it’s the information security officer, privacy officer, compliance office – it should also probably involve human resources, and the publicity department. If it’s a publicly traded company, investor relations should play a role too. All the relevant departments should be part of that team, and certainly because a lot of these issues are security related, the CIO should be involved in the development of that incident response plan.
AG: When you get brought into hospitals, are you seeing common mistakes, oversights, or problems that you can assume 80 percent of the hospitals out there are making? Maybe you can talk about what they might be.
RH: Actually, I wrote an article awhile back on the 10 most common mistakes in security incident responses. I was actually thinking I might do a couple of blog posts where I go through some of those mistakes. Some of the most common mistakes are not recognizing that you have a reportable incident, or you're not communicating that to the appropriate level in the organization.
One problem that can occur is when an organization knows that it has lost a laptop, or that one has been stolen, but the information stays with rank in file employees, and doesn’t filter up to the appropriate compliance personnel or the privacy officer in time for the organization to respond.
Another is to delay notification, to rely too heavily on the exception that’s made for law enforcement investigations. You're allowed under most state laws, to delay notification of a security problem, if it compromises an ongoing law enforcement investigation. But, you shouldn’t overuse that exception – for example, if you know that the local police department isn't investigating that laptop theft very vigorously.
AG: Do you think a number of hospitals don’t have a plan in place, or do you think possibly it’s a little light on specific requirements and work flow?
RH: All hospitals have to comply with the HIPAA security rule, and part of having that HIPAA security rule compliance plan is having some kind of written policy that addresses the incident response plan. But often, those policies aren’t as detailed as you would like, and don’t reflect the new realities after enactment of all these state security breach notification laws. I’d say most of them should have some form of a plan, but it may not be the kind of plan that will really put them in a good light if a serious incident occurs.
AG: Do you see a problem with hospitals not properly funding privacy in the sense that they don’t have a privacy officer or security officer. I think you did say they were required to have one, but perhaps they're trying to get away with having the same person cover both roles to save money, or they're just not investing – I don’t know if these things need to be budgeted – but do you see this as a resource issue that hospitals aren’t paying enough attention to?
RH: To a certain extent, yes. First of all, you don’t have to have a separate FTE devoted to the privacy officer position. There is nothing in HIPAA that wouldn’t allow you to assign that responsibility to a compliance officer or someone else in the organization. But I would say that the hospital industry and the healthcare industry were very serious about HIPAA compliance in 2003 when the privacy rule became effective. But, I think given the strains on the healthcare system, there may be a little bit of reluctance to devote resources to updating your HIPAA policies and procedures to reflect your current practices, and to make sure that they're still entirely accurate.
I guess I would just say that the hospital industry is very sensitive to HIPAA privacy issues, and I think they’ve generally done a pretty good job of complying with HIPAA and being sensitive to it, but I think there is a little bit of “letting down the guard,” particularly because CMS and OCR have not been rigorously enforcing HIPAA or taking high profile enforcement action against providers.
AG: I've heard some people refer to the “toothlessness of HIPAA,” do you think people take false security in the fact that nothing will ever really happen to them in terms of compliance?
RH: I think that’s true, and I think that regardless of where HIPAA enforcement goes, privacy and security are important issues to patients and customers and business generally, and organizations that aren’t sensitive to those issues often pay a significant price. And we've seen that with some of the high profile security breaches.
AG: I used to cover Wall Street, and one of the things that the investment houses would talk about is reputational risk. Do you think that hospitals take that seriously as well? Even if they may not have legal ramifications, is a big security breach seen as a reputational risk?
RH: Definitely, I think that’s a huge factor. Reputational risk has certainly been significant for some of these publicly traded companies that have experienced major security breaches, and we've seen stock prices fall, class action lawsuits, regulatory action, and a number of bad consequences.
I think for the healthcare industry, in some ways, the consequences can be more severe just because medical information is viewed as being so personal and sensitive. If there is a perception that a hospital is not taking their privacy and security obligations seriously, I think that can really damage the relationship to patients and the community.
AG: And we see both kinds of breaches. We see the kind that I would call non-IT breaches, such as a lost laptop – it’s like losing a folder, or people snooping in files, things like that and the Britney Spears incident. And then you have the true IT breaches of security, where there is hacking going on. Is there a difference in your mind between the ramifications of those? What can you tell me about in terms of what you're seeing more of?
RH: We’re seeing all of those types of cases. They run the gamut, but I would say there are certain kinds of breaches that no matter what you do or how good your practices are, you're still going to experience – such as employees taking information home improperly, or people looking at files that they shouldn’t be looking at. But, I think it’s important to have appropriate practices in place to show that the organization takes those matters seriously and takes disciplinary action. I think it can be much more damaging if an organization is perceived not to have dealt with basic systemic security issues that result in a massive hacking breach, because you're dealing with something that could have been avoided by implementing reasonable security measures, and that is within an organization’s control.
Of course, the flipside is that hackers and identity thieves are getting more sophisticated all the time. There may be certain schemes that even a reasonable security compliance plan won’t prevent. But if you allow for gaps in your system that make you particularly vulnerable, then I think those are the kinds of situations that lead to an FTC enforcement action, or a settlement like the one that TJX entered into recently.
AG: As you know, CIOs are our main audience. You mention that it’s important if there is an incident to be able to show that you did what was – I don’t want to put words in your mouth – but you did what was reasonable, and you showed that you had some interest in doing a good job in protecting the privacy of data. What would be your advice, in general, to CIOs at hospitals about getting themselves in a position where they can say that they’ve done at least that much?
RH: I would say that it’s important for privacy and compliance professionals to work closely with CIOs and security professionals to make sure that the end result for an organization is a formal security compliance program that is adequately documented, and creates a record of what the organization is doing. There is certainly a lot of excellent CIOs out there who have an understanding of best practices, and work hard to apply them in their organization. But, if you don’t have a formal program that is properly documented, then you won’t be in the best position if you get into one of these high profile incidences where your practices are being scrutinized.