Reece Hirsch, a partner at Sonnenschein Nath and Rosenthal (San Francisco), is a healthcare law regulatory and transactional expert. He has expertise in data privacy and security issues in the healthcare industry, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act. He has advised clients from virtually all sectors of the healthcare industry on privacy and security compliance matters, from development of policies and procedures to structuring of health information technology ventures.
HCI’s editor-in-chief Anthony Guerra had a chance to talk with Hirsch about the security and privacy issues facing healthcare institutions today – and how CIOs can make sure their organizations are prepared in the event of a security breach.
AG: Tell me a little bit about what you do in your position, and the sorts of issues that you deal with every day, and who you're working with in terms of customers or the people you're servicing.
RH: My clients cover a variety of sectors in the healthcare industry. I have hospital clients, I have health plan and insurance clients, and I work with physician practices, particularly larger ones. Occasionally I work with national pharmacy chains and national retailers that have privacy and security issues. I also work on privacy issues with organizations beyond the healthcare industry, such as retailers, and with a number of healthcare technology companies, such as application service providers.
AG: Who from the hospital typically approaches you and what kind of services are they looking for?
RH: Usually I’ll work with someone in the compliance or legal department if it’s a larger hospital because they have in-house counsel. First of all, I’m part of one of the larger healthcare practices in the country, and we advise hospitals on all kinds of regulatory and reimbursement issues. But for your purposes here, we’ll focus on the privacy and security work. Often, if an organization has in-house privacy expertise, they’ll be calling on me to answer some of the more complicated questions, such as the gray areas of HIPAA compliance, where they want to know if a particular practice is consistent with HIPAA and state medical privacy law. Sometimes it will involve reviewing and negotiating contracts that have privacy and security related provisions.
I also work with hospitals and other healthcare providers in developing some of these cutting edge healthcare information exchanges. For example, I was counsel to the Santa Barbara County Care Data Exchange, which was a pioneering RHIO project, which ultimately failed. It demonstrated some of the complications that RHIOs are going to face.
AG: What were some of the privacy issues that came up with the RHIO that you previously mentioned, which may have contributed to the problems that it had?
RH: I can’t name the client, however, I touched upon it a little bit in a couple of blog posts I did about RHIO regulatory challenges, part 1 and part 2. There are all kinds of state medical privacy laws that impose greater restrictions on certain categories of data, and it’s difficult to manage, and to keep those categories of information out of the RHIO. On the other hand, if they're in, then there are regulatory concerns because whenever you hear those categories of information, you usually have to get specific consent from the patient. So there are issues around how you manage to keep that information out of a RHIO, and if it does go in, how you manage the consents that are required for sharing it.
In the broader picture, there was a lot of concern about what the liability risks are if the RHIO structure is inappropriate, or has a security breach, or allows for disclosures that violate HIPAA. What are the liabilities, and how do the parties to the RHIO allocate those liabilities through indemnification provisions?
Ultimately, when you're forming a RHIO, you have to assess those risks and if you don’t see enough business upside to balance out those risks, you don’t go forward. That was one of the problems in Santa Barbara.
AG: You mentioned the compliance officers, what are you seeing out there in terms of the relationship that exists between a chief compliance officer and a chief information officer at a hospital?
RH: In smaller hospitals, you’ll often have one person who is their compliance officer, their privacy officer, and their security officer. And under HIPAA, you're required to have a designated privacy officer and security officer, although they could be the same individual. In a bigger organization, you’ll often see those roles splitting out. Sometimes compliance and privacy will be combined because privacy is essentially a legal and regulatory driven discipline. So often the same person is suited to compliance and privacy. But you’ll also see security broken out into a separate position because it requires that he/she have a different skill set, and a better understanding of the technical security issues.