Interviews

Interview: Jonathan Goldberger: SVP of Security Practice, TPx

The HIPAA Journal has spoken with Jonathan Goldberger, Senior Vice President of Security Practice, at TPx, a leading provider of managed IT services, unified communications-as-a-service (UCaaS), secure networks, and cybersecurity services to find out more about his experiences as an MSP providing IT services to healthcare organizations.

Jonathan Goldberger, Senior Vice President, Security Practice at TPx

Tell the readers about your career in the healthcare industry

My security career started with financial services. I worked in Wall Street for four years, and after I left, I got involved in risk management consulting. This was around 2000 when HIPAA started going into effect, and it was here that I started working with healthcare organizations to help them incorporate HIPAA controls, secure their networks and perimeters, and implement risk mitigation. From that point forward, I continued to work with security companies, helping healthcare organizations with the complexity of their IT and security infrastructure.

What was your first position?

I graduated from the University of Alabama and was offered a role working on the university’s mainframe center. It was where I began my passion for IT because it combined something that is very technical in nature with the ability to work with people. Since that time, I’ve held several different technical and leadership roles in the IT and cybersecurity space.

What is your current position?

I am currently the SVP of Security Practice at TPx, where I lead a team of technical resources who partner with companies in all industries to create a security framework that works for their organization. When it comes to cybersecurity, there is no one-size-fits-all approach. Companies need to customize their solutions to meet their specific needs, and every business is different. The healthcare industry has a very particular set of challenges they face daily, and there’s a wide range of compliance requirements that IT providers must know to be effective in the industry. It’s not just HIPAA either; now, state and local governments are passing their own data privacy laws that organizations must comply with on top of federal and industry regulations. Working for TPx, I’m in a unique position to shape technology and security solutions that will help healthcare organizations be strategic in solving the IT challenges they face, strengthening their cybersecurity, and complying with industry regulations.

Tell the readers about any significant event in your career.

During my career, I ran consulting for a very large security and network company, where I worked with a prominent nationwide healthcare organization that was implementing security controls and protections across its network. One of the solutions, Network Access Control (NAC), was implemented with the goal of ensuring no unauthorized devices could gain access and traverse the network. This was a way we could prevent any malicious traffic from getting on the network. I remember sitting down with the CISO and her saying you must capture all the medical devices; you can’t miss any of them. If a medical device can’t get on the network, it affects people’s lives. There is no room for error. We have to make sure that we’re allowing the right devices on the network while still inhibiting malicious devices from gaining access. It was truly an eye-opening experience. In any other industry, having a false positive and not allowing a machine on the network may not have life or death consequences – but in healthcare, it does. If a machine can’t get on the network, there are significant repercussions that are much more than just financial. As a security professional, it made me realize the role we are playing in making sure that the IT is secure and optimized so that healthcare providers can focus on patient care.

Are you working on any interesting projects?

What makes my role so unique is that everything I work on is interesting because no two projects are the same. Every organization has a unique set of circumstances, and while we’re all working toward the same objective — keeping organizations and their data safe — how we get there is never the same. Take small and medium-sized healthcare organizations, for example. They often don’t have the capital to hire all these IT experts and security strategists, so the work we’re doing at TPx is vital. We’re able to address these unique IT challenges organizations face and create more modernized solutions for them to achieve secure outlines and compliance with evolving regulatory requirements.

What products/services do you provide for the healthcare industry and what is unique about them?

TPx offers a full suite of managed IT services, including internet, networking, cloud communications, and security. Our HIPAA-compliant solutions help healthcare providers improve the operations and security of their IT infrastructure. We also offer comprehensive Security Advisory Services that help hospitals, doctors, and mental health professionals understand their security vulnerabilities and identify gaps in their organization’s cybersecurity. The information gained from those services and assessments helps healthcare organizations to define a security strategy and become defensible for the compliance that is required of them. It’s important that organizations are not only being defensible but can also show their defensibility when needed. That’s why we offer a security program dashboard so that organizations can quickly and easily see the state of their security program, what security controls they have in place, and how they are meeting compliance requirements for HIPAA, Sarbanes Oxley, and more in a single place. When an auditor comes in, organizations are at an advantage and can quickly show their defensibility through this dashboard. But beyond the technology, TPx acts as a partner for healthcare providers and provides “wellness checks” to ensure their IT infrastructure is healthy, networks are optimized, systems are secure, and compliance requirements are being met.

When did you first get involved with HIPAA compliance?

I first got involved in HIPAA compliance when it first came out. At that point in my career, I was working in risk management consulting and had been using industry best practices as a baseline for our consulting services. At the organization I worked for, we had a healthcare expert on staff who sat us down and really went through all the HIPAA requirements and how they translated to an organization’s IT needs. Her name was Mame Gordan, and she really gave the best advice I’ve ever received associated with compliance, which is it’s hard to be 100% compliant. The goal of any compliance program should be defensibility. That’s really the goal of any security program or gap assessment. Are you defensible to the regulations required of you? Because when an auditor comes in, they have an interpretation of what they see, which ultimately leads to their findings. Organizations should always focus on the outcome of being defensible because that level of defensibility ultimately helps protect the organization and results in better audit outcomes.

What are your main challenges regarding HIPAA?

Too often, we see that organizations just want to check the box when it comes to HIPAA compliance. When really HIPAA should be one aspect of a security program. The real outcome is about protecting patient data and the healthcare organization through a comprehensive security program, but a byproduct of it is being defensible to various regulatory requirements, like HIPAA, that providers need to meet. Many organizations need to shift their thinking when it comes to HIPAA compliance. It needs to be less about checking the box and more about protecting data and being defensible. When you have a broad security program that encompasses security controls and protections, you can show your defensibility to the regulations of today but also the regulations of tomorrow. Regulatory requirements are constantly adapting and evolving, so having a strong security program in place ensures you may only have to tweak certain aspects versus doing a heavy lift to comply with new regulatory standards. Organizations should always focus on their program versus the specific controls of compliance – it ultimately puts you in a better position as regulations evolve.

Do you have any predictions for the future of HIPAA?

As cybersecurity threats continue to evolve, HIPAA regulations will evolve as well. There won’t be less requirements. This will really be the case for all regulations, not just HIPAA. Healthcare providers must adopt security programs that can continue to evolve and mature because there will only be more regulatory requirements that organizations must meet. It’s not enough to say you have a policy or a program – you must prove that you’re actually doing it and have been doing it consistently. That evolution we’ve already seen in other regulations, like the Safeguards Rule. It’s now equally as important that you show there is a security practitioner who is maintaining the program as having the program in place.

Do you have any predictions for the future of healthcare regulation?

Healthcare regulation will also continue to evolve. I think we will see that the complexity of these regulations will only increase. Now, more and more states are driving their own data privacy and security requirements, so if you’re a healthcare provider that has citizens in different states, you will have a much more complex regulatory landscape. Predicting the requirements of these regulations might be difficult, but that doesn’t mean organizations can’t prepare for what’s to come. That’s why, when it comes to technology, they must put in place a security program that can grow and evolve as their company and regulatory requirements evolve.

Do you have any predictions for the future of healthcare technology?

Healthcare technology is going to continue to evolve to provide greater efficiencies for healthcare organizations, from adding in automation as much as possible to continuing the evolution of virtual healthcare. Automation will also utilize more AI to make them as cost-effective as possible. I think there is a very realistic scenario that we will call into a provider and have AI that is helping us deduce what the actual issue is and make recommendations without being an actual doctor. Technology will continue to evolve, but the security concerns won’t go away. Healthcare organizations must continue to prioritize their security programs and adapt them as new technologies emerge.

Do you have any predictions for the future of the healthcare industry?

Privacy and security are becoming a daily topic for so many healthcare professionals, especially with information existing in so many different places and technologies. All healthcare organizations will need to prioritize a comprehensive security program as they adopt new technologies and modernize to the cloud. And security and compliance are no longer just for large organizations. Every healthcare organization must make it a top priority to become defensible.

Do you have anything else interesting to share with readers?

Achieving compliance and maintaining cybersecurity doesn’t have to be an unattainable prospect. Companies need to look to the right partner — one who knows the landscape, one who looks at compliance as a program versus an action, and a partner who seeks to incorporate automation and orchestration in their solutions. Defensibility and strategic success are closer than companies realize.

You can contact and connect with Jonathan Goldberger via LinkedIn: https://www.linkedin.com/in/jonathangoldberger/

 

The post Interview: Jonathan Goldberger: SVP of Security Practice, TPx appeared first on HIPAA Journal.

Interview: Zbyněk Sopuch, Chief Technology Officer, Safetica

The HIPAA Journal has spoken with Zbyněk Sopuch, Chief Technology Officer at Safetica Inc., a global software company that provides business data protection and insider threat prevention solutions, including HIPAA-regulated entities.

Zbyněk Sopuch, Chief Technology Officer at Safetica Inc.

What is your current position?

My current role is Chief Technology Officer (CTO), where I strike a balance between the world of technology and our customers’ needs, including healthcare customers.

What was your first position?

I started as an OS security developer, understanding the details of protection and weak points of different operating systems. Then I started to grow through various organizations, including Safetica, through different leadership roles in product development, allowing me to get a strategic understanding to balance cost, value, and engineering. For me, connecting technology with real-world scenarios and organizational demands has become very fulfilling.

Tell our readers about your career in the healthcare industry

My first professional contact with the healthcare industry was 11 years ago as head of software development for a Data Leak Protection solution. Besides the protection of intellectual property, having hospitals and private clinics as clients brought us into data regulation even before the personal data regulation era. One of the key parts of the healthcare industry is the protection of patient data, established in the US through HIPAA, and here in Europe with parallel HHS safeguards, which are quite similar. A key role of these early data leak solutions was aligning organizations in compliance with these healthcare regulations. On a particular level, some of my first tangible experiences in healthcare have been around data protection in a chain of private reproduction clinics. Data there felt personally very sensitive, and I began to understand data protection in healthcare as the extension of the trust between a doctor and a patient.

What are the main challenges in your current position?

At Safetica, we saw global demand for data security grow over the last ten years, and we see the medical sector as a key driver of that growth, both due to rising data regulations, the emergence of digital transformation in the sector, and increasing data mobility across private and public networks. The mission of Safetica is to bring this enterprise-level data security to small and medium businesses, with limited IT resources and capacities.

Are you working on any interesting projects?

At the moment, I’m deeply involved in an exciting project centered around our Safetica DLP Cloud Security solution, specifically tailored for the healthcare sector in the USA. Recognizing the unique challenges faced by small medical practices and health tech companies, especially concerning patient data security and regulatory compliance like HIPAA, we’re refining and enhancing Safetica DLP to ensure it is intuitive, scalable, and effective. Our goal is to provide these practices with a robust data loss prevention tool that not only safeguards sensitive patient information but also seamlessly integrates with their workflows, ensuring that they can maintain the highest standards of data protection without any added complexities.

What products/services do you provide for the healthcare industry and what is unique about them?

We provide the healthcare industry with our DLP solution, which strikes a balance between security and operation. Straightforward implementation and ease of use are critical for us. We understand security in healthcare is necessary, but not the primary business. So, our solution is aimed to empower smaller clinics, for example, with internal trust and confidence to deal with sensitive patients’ data without having large resources. We have it designed to fit into all types of environments and regulations, so, for example, we provide a managed cloud version for regular offices and clinics, but even a version for self-managed use in the cloud or on-premises for organizations with the highest demand for connectivity separated from the general web and with maximum control.

What are your main challenges regarding HIPAA?

While HIPAA is undeniably important for patient data protection, its nature poses challenges, especially for smaller entities. It’s written by lawyers for lawyers, and while larger institutions have dedicated teams to decipher and implement its guidelines, smaller clinics or practices might struggle with the complexity. They often lack the resources to hire specialists, leading them to rely on common sense, intuition, and, hopefully, some form of digital assistance. Staying updated with the ever-evolving regulations and ensuring that every staff member is trained and compliant adds another layer of complexity. Our aim with Safetica DLP is to bridge this gap, offering a tool that simplifies the compliance process for these smaller entities, making it more intuitive and less resource-intensive.

Do you have any predictions for the future of healthcare technology?

Maybe I will try to put my future glasses on. I don’t know what the exact future for regulations will be – but there is a certainty that there is going to be more of them. Even in healthcare, but definitely in personal data protection. The natural progression is for regulations and increasing demand for digital security to rise, as well as to be outsourced. As well as outsourcing IT administration litigation and taxes, we are going to outsource even the regulation compliancy and digital security. Probably to SaaS (software/security as service) models or to managed providers (managed security as a service).

The post Interview: Zbyněk Sopuch, Chief Technology Officer, Safetica appeared first on HIPAA Journal.

Interview: Wei Pan, Head of Engineering, Celo Health

As part of our interview series, we spoke with Wei Pan, Head of Engineering at Celo Health. Celo Health is the developer of a HIPAA-compliant secure messaging platform that enables healthcare teams to collaborate seamlessly and securely on patient care.

Wei Pan, Head of Engineering at Celo Health

Wei Pan, Head of Engineering at Celo Health

Tell the readers about your career in the healthcare industry

I hold more than 15 years of experience in software development, specifically in the area of healthcare security.  I graduated from the University of Auckland with a bachelor’s and a master’s in computer science. My development expertise is focused on cloud software architectures and web applications, iOS, Android, and Microsoft technologies. A key part of my career over the years, has been managing development teams in different parts of the world. I’ve been able to manage these dynamics successfully primarily because of the type of development methodology I’ve implemented called Kanban.  This is an agile development method focused on process improvement, managing workflow efficiently, fostering team collaboration and transparency, and reducing lead time for new ideas from the ideation cycle all the way to customer delivery.  To be successful in software development, you must focus on process improvement so the end result is quality, reliability, and rapid delivery to the customer. Most importantly, the software we develop must be highly secure and compliant with numerous regulations worldwide including HIPAA and the HITECH Act.

What was your first position?

My first position was as a software programmer and then later as a development manager for a company that focused on patient safety in an anesthetic environment. This is where I honed my skills in developing software compliant with patient data security standards, as well as improving workflow that led to better outcomes for patients in anesthesia departments.  Early on, I realized the need to develop solutions for healthcare companies that were easy to use. Healthcare companies don’t have time to learn complex technology since they need to focus on what they do best – patient care. Just as important, the software had to fit their needs rather than the healthcare company changing its processes to fit the software.

It was also during this early part of my career that I learned about hand-held mobile technology – such as Nokia phones – before smartphones were invented.  This was invaluable experience for me since a lot of the cutting-edge technologies with those devices at the time became the technology foundation that allowed the breakthrough of smartphones. I learned valuable lessons during this part of my career on how critical it is for software companies to be always looking ahead to how new and emerging technologies can improve software so it evolves with the market’s changing needs and rules and regulations.

What is your current position?

For the past five years, I have served as Head of Engineering for Celo Health. I lead a team of engineers located in different countries and time zones. We have dedicated teams focused on iOS, Android, cloud, and web technologies. Other parts of our team include quality assurance, product designers, and maintenance.

What are the main challenges in your position?

The biggest challenge I was faced with when I joined the company was building a new solution architecture from the ground up. As we rewrote the software, the focus was building a global platform with high scalability, security, and ease of use. Our focus on usability really helped define a market advantage for Celo’s software since customers report instant onboarding of employees with little to no training needed.

A major challenge, not unlike other companies, is recruiting the right people. Naturally, we want to recruit bright and technically proficient employees with the right mindset. Successful development requires employees who understand and share the same vision of the company and are passionate to learn new technologies. We also seek employees who want to take responsibility and support their colleagues in other technology areas beyond the scope of their job roles.  These are important attributes since it allows us to give them a sense of ownership and to be a critical part of delivering value to our healthcare customers.

Another key challenge, which is common for many small- or medium-sized software companies, is the ability to deliver quickly to market. That is critical for company growth.  Healthcare companies need to evolve based on their market dynamics and changing regulations. Software has to keep up with all that so we are constantly developing new features and custom workflows for our customers so they can deliver better outcomes, meet compliance requirements and compete more successfully in their market. That’s why software development is not a clock-in type of job but rather one that may require long hours, at times, to meet goals and deadlines. We manage this by offering the latest business and development software technologies, tools, and methodologies for our teams in a very flexible work environment.

Tell the readers about any significant event in your career

The most significant event for me was starting my career with Celo, where I took on the ambitious challenge of completely overhauling the product architecture to suit the future growth of the platform. It required rapid recruitment of technical specialists in cloud, web applications, Microsoft and iOS and Android, among other technologies, as well as implementing new processes and methodologies. All of this had to be done quickly and in less than a year. This work was validated after we delivered a platform that not only offered high security, scalability, and ease of use but also collaboration features specifically tailored for healthcare providers.

Are you working on any interesting projects?

Our team is continuously evolving Celo’s platform with new features to keep up with our customers’ changing needs. We are working on bringing the best of technological innovation to healthcare professionals in our platform such as AI.

What products/services do you provide for the healthcare industry and what is unique about them?

Celo Health provides a HIPAA-compliant messaging platform that enables healthcare teams to collaborate seamlessly and securely on patient care. Celo’s platform, which utilizes health-grade encryption,  differentiates itself by being one of the few solutions in the market that is not only HIPAA-compliant but also globally compliant with international data security regulations.

The platform features a built-in directory that enables healthcare teams to reach the right person instantly. It is so easy to use that many customers report a 92 percent onboarding rate of staff in the first week of implementation. Celo’s technology also utilizes Microsoft Azure, a cloud computing platform, which has more security certifications and accreditations – HIPAA and globally-  than any other cloud provider in the market. Celo’s goal is to go above and beyond the required minimum standards.  Consequently, we provide input on how to safeguard healthcare information for the future by working directly with regulators on future healthcare privacy legislation.

When did you first get involved with HIPAA compliance?

I became involved with patient data security early on in my career. However, my involvement in developing HIPAA compliance software started when I joined Celo. We used some of the top HIPAA consultants in the industry to provide us with guidance on developing our technology. Our experience in developing compliant software with GDPR, IS0 27001, SOC 2 cloud compliance, Cyber Essentials, and ICO, also proved valuable when working to achieve HIPAA compliance within our platform.

What are your main challenges regarding HIPAA?

The wording, rules, and policies are a bit outdated. A lot of their rules also don’t apply to software-as-service companies (SaaS).  So, HIPAA needs to address standard rules on how technology complies with patients’ data, and specifically, how data is transmitted in a secure cloud deployment model. There needs to be a clear blueprint for this.

What do you think needs to be improved in the HIPAA regulations?

I believe HIPAA needs to align better with international global standards such as GDPR. I believe the HHS can learn from the GDPR, Europe’s strict data security policy, and find a balance that fully addresses the evolving trends in U.S. healthcare regarding patient data security, as well as cybersecurity. There are also data security and cybersecurity best practices being introduced by standard organizations such as IEEE and through security industry conferences, as well as by Microsoft, Google, and Amazon, that can be leveraged by the HHS to update the HIPAA regulations.

Do you have any predictions for the future of HIPAA?

The software industry offers data security technology that can promote more data sharing and interoperability (better integration and connectivity with other data sources) in the healthcare industry. I think HIPAA will move to promote those areas and allow better access to software throughout the healthcare ecosystem.  HIPAA also needs to address data security in terms of the consumerization of health care with patients’ growing need to access their data, as well as new healthcare deliverable models like Telehealth and new entrants in the market such as Walmart’s health supercenters and Amazon’s online health services.

Do you have any predictions for the future of healthcare regulation?

There are many new healthcare provider models that have been introduced to fill in the gaps on patients’ access to healthcare whether it’s constrained due to economic, medical worker shortages, or geographic issues. Future healthcare regulation will need to address these new entrants, such as the single doctor operating out of his home, retail health supercenters, and online healthcare services, to name a few.

Do you have any predictions for the future of healthcare technology?

Technology will make it easier to deliver full and unified information on patients. Currently, there are gaps in information primarily due to the lack of interoperability but that is changing as technology companies develop open, standard-based platforms that easily integrate with other systems and applications. More technology applications will offer integration with Artificial Intelligence which will transform healthcare business processes and make patient care, reporting, compliance, and administration more productive and efficient.

Do you have any predictions for the future of the healthcare industry?

I believe the healthcare industry will more widely adopt healthcare interoperability standards, rules for exchanging healthcare data electronically among different systems or applications, such as FHIR, and HL7.  As healthcare providers are faced with more financial constraints and limited resources, they’ll see the benefits of interoperability through more efficient and productive operations.

Anything else you would like to share with our readers?

The consumerization of healthcare has led patients to seek more personalized care, transparency in pricing, and more choices such as retail clinics and virtual care. At the same time, healthcare organizations are faced with daunting challenges in terms of financial resources, declining workforce resources, and changing compliance requirements.  Celo and others continuously deliver new products to address these evolving business dynamics. Healthcare has taken its time in adopting new technology, but this will change in the near future as providers now see the benefits: more cost efficiencies, improved productivity, easier compliance, and most importantly, better patient outcomes.

The post Interview: Wei Pan, Head of Engineering, Celo Health appeared first on HIPAA Journal.

Interview: Stacey A. Tovino, JD, PhD, William J. Alley Professor of Law, University of Oklahoma College of Law

HIPAA Journal is conducting interviews with healthcare professionals, compliance professionals, and industry service providers to find out more about how their experiences with HIPAA, their successes, and the challenges they have and continue to face with HIPAA compliance. This week, Stacey A. Tovino, JD, Ph.D., William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs, The University of Oklahoma College of Law, shared her thoughts.

Stacey A. Tovino, JD, Ph.D., William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs, The University of Oklahoma College of Law

Tell HIPAA Journal readers about your current position.

I currently serve as the William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs at the University of Oklahoma College of Law. I am an elected member of the American Law Institute and an invited fellow of the American Bar Foundation. My current research focuses on privacy, security, and breach notification law and my privacy, security, and breach notification-related scholarship work is published in textbooks, casebooks, encyclopedias, law reviews, medical and science journals, and ethics and humanities journals, including Duke Law Journal (2022), Notre Dame Law Review (2019), Iowa Law Review (2019), and Alabama Law Review (2018).

What was your first position?

My first post-law school position was as an associate attorney at Vinson & Elkins in Houston, Texas.

What are the main challenges in your position?

My main challenges include keeping up with state law developments relating to privacy, security, and breach notification law.

Tell the readers about your career in the healthcare industry.

I have served as Chair of the AALS Section on Law and Mental Disability (2009), Chair of the AALS Section on Torts and Compensation Systems (2018), Chair of the AALS Section on Law, Medicine, and Health Care (2022), Chair-Elect of the AALS Section on Law and Mental Disability (2021-2022), Chair-Elect of the AALS Section on BioLaw (2021-2022), Chair-Elect of the AALS Section on Law and the Humanities (2022), Chair-Elect of the AALS Section on Law Professors with Disabilities and Allies (2022), and Executive Committee Member of the AALS Section on Teaching Methods (2020-2022).

Prior to joining the faculty at the University of Oklahoma College of Law, I served for a decade as the Judge Jack and Lulu Lehman Professor of Law and the Founding Director of the Health Law Program at the University of Nevada, Las Vegas (UNLV) William S. Boyd School of Law, and in 2019, I received UNLV’s Top Tier Award, an honor bestowed on faculty members who demonstrate excellence in all five areas of UNLV’s Top Tier Mission.

I have also served as Founding Director of the Health Law and Policy Center and Associate Professor of Law at Drake University Law School (2008-2010); Assistant Professor of Law at Hamline University School of Law (2006-2008); Visiting Assistant Professor, Research Professor, and Adjunct Professor at the University of Houston Law Center (2003-2006); and attorney in the Health Industries Group of the Houston office of the international law firm Vinson & Elkins (1997-2003).

During my practice, I have represented physicians, scientists, allied health professionals, general and special hospitals, academic medical centers, organ procurement organizations, blood banks, and nonprofit healthcare organizations in civil, regulatory, operational, and transactional matters. I am an enthusiastic teacher of HIPAA Privacy Law and earned law school-wide teaching awards in 2009, 2012, 2013, 2014, 2016, and 2020, as well as an OU College of Law Institutional Impact Award in 2021.

When did you first get involved with HIPAA compliance?

I attended law school at the University of Houston between 1994 and 1997. In August 1996, right at the start of my third year of law school, President Clinton signed HIPAA into law. HHS published its first proposed privacy rule in November 1999, shortly after I began practicing law. I have focused on HIPAA privacy matters my entire career.

Are you working on any interesting projects?

Yes. My most recent law review article focuses on the lack of HIPAA protections for student treatment records. Given that FERPA (the Family Educational Rights and Privacy Act) also excludes student treatment records from protection, leaving them only to state law, I am arguing that state law is insufficient to protect the sensitive and sometimes stigmatizing information in these records.

What do you think needs to be improved in the HIPAA regulations?

HIPAA needs to improve its protection of student treatment records and reproductive health information, just to name two.

Can you explain the current problem with student treatment records?

The HIPAA Privacy Rule’s use and disclosure requirements (45 C.F.R. 164.502-.514) and individual rights (45 C.F.R. 164.520-.528) only apply to protected health information (PHI). In addition, the HIPAA Security Rule’s administrative, physical, and technical safeguards only apply with respect to electronic PHI (ePHI). Moreover, the HIPAA Breach Notification Rule only applies to unsecured PHI (uPHI).

To be protected by any of the HIPAA Rules, then, there must be PHI. The catch is that the HIPAA Rules exclude “student treatment records” from the definition of PHI. (Student treatment records are defined to include the medical records created and maintained by university-owned student health centers about postsecondary students that are not disclosed for non-treatment purposes.) Moreover, the Family Educational Rights and Privacy Act (FERPA) also excludes student treatment records from the definition of education records. The result is that student treatment records are only protected by state law. Unfortunately, state facility licensing laws, state medical record privacy laws, state data security laws, state breach notification laws, and new state consumer data protection laws provide minimal, if any, protections for student treatment records due to relevant exceptions, including exceptions that apply to HIPAA covered entities, educational institutions, and/or student treatment records.

The result is that many student treatment records are only protected by antiquated privacy provisions set forth in state professional practice acts.  However, most state professional practice acts: (1) do not carefully or heavily regulate the use and disclosure of student treatment records; (2) do not provide students with comprehensive rights relating to their health information, including the right to receive a notice of privacy practices, the right to request additional privacy protections, the right to correct inaccurate medical record entries, the right to receive an accounting of disclosures, the right to be notified of privacy and security breaches, or the right to mitigation of harmful effects associated with such breaches; (3) do not require the implementation of administrative, physical, or technical safeguards designed to ensure that confidentiality, integrity, and availability of student health information; and (4) are not aggressively enforced (or enforceable) through stringent civil and criminal penalties, qui tam provisions, or private rights of action.

In a forthcoming article due to be published this year – Privacy for Student-Patients: A Call to Action, Stacey A. Tovino – I propose and justify amendments to the definition of protected health information under HIPAA and the definition of education records under FERPA. If my proposals are implemented by HHS and Congress, respectively, student treatment records will be protected by the HIPAA Rules at all times during their life span.

How do you feel HIPAA is failing to ensure the privacy of reproductive health information?

The HIPAA Privacy Rule currently treats reproductive health information like any other class of health information, including orthopedic information, dermatological information, or neurological information. Stated another way, reproductive health information is not specially protected under the HIPAA Privacy Rule. One idea is to apply heightened, or more stringent, confidentiality protections to reproductive health information. For example, the HIPAA Privacy Rule already provides heightened confidentiality protections to psychotherapy notes. Why not reproductive health information as well?

In particular, the HIPAA Privacy Rule prohibits covered entities from using or disclosing psychotherapy notes without the patient’s prior written authorization for any payment purposes under 45 C.F.R. § 164.506(c)(1) and (3); for treatment purposes under 45 C.F.R. § 164.506(c)(2); for law enforcement purposes under 45 C.F.R. 164.512(f)); and for most judicial and administrative proceedings purposes under 45 C.F.R. 164.512(e). See 45 C.F.R. 164.508(a)(2) (setting forth the only situations in which a covered entity may use or disclose psychotherapy notes without patient authorization). In an article that is forthcoming in the Cardozo Law Review – Confidentiality Over Privacy, Stacey A. Tovino, 44 Cardozo L. Rev. 101 – I show how these special protections could be applied to reproductive health information as well.

Do you have any predictions for the future of HIPAA?

I am looking forward to HHS regulations that will address whether patients injured by privacy violations can serve as qui tam plaintiffs and recover a portion of the settlements or penalties recovered by HHS.

The post Interview: Stacey A. Tovino, JD, PhD, William J. Alley Professor of Law, University of Oklahoma College of Law appeared first on HIPAA Journal.

Interview: J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group

HIPAA Journal is conducting interviews with healthcare professionals and vendors to get their points of view on HIPAA, how the legislation relates to their roles, and the successes and challenges they face with HIPAA compliance. This week, J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group, shared her thoughts.

J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group

Tell the readers about your career in the healthcare industry

I currently serve as the Chief Compliance Officer for Saber Healthcare Group – one of the largest long-term care providers in the nation. As a long-term care provider with more than 120 facilities in the nation (including skilled nursing facilities and assisted living facilities), we provide individualized care to patients and residents in seven states.

What was your first position?

I worked as an attorney at a law firm.

When did you first get involved in HIPAA compliance?

When I was practicing law and advising corporate and individual clients on various legal matters, HIPAA compliance issues would come up from time to time.  When I first assumed the current role, HIPAA compliance was part of the compliance department’s responsibility.  So naturally, I took on the task, and have been managing our organization’s HIPAA compliance since then.

What attracted you to further your career in compliance?

I love what I do and I am passionate about compliance work.  As people can imagine, compliance is not an easy field and it is full of roadblocks and challenges, but that makes it exciting too because the risk landscape is constantly evolving, which requires compliance professionals to adapt, adjust, assess, reflect, and improve.  Furthermore, compliance work is important.

What are the main challenges in your position?

Keeping up with emerging risks, operationalizing legal and regulatory requirements and incorporating them into daily practices and processes, maintaining the compliance momentum, and fostering a culture of compliance.

What are your main challenges regarding HIPAA?

Operationalizing the legal and regulatory requirements, making the rules easy to understand for everyone in the workforce, and continuing to heighten employees’ awareness of the HIPAA Rules and the importance of HIPAA compliance.

What do you think needs to be improved in the HIPAA regulations?

I think it is safe to say laws and regulations are not the world’s most interesting or digestible thing for people to read.  The reality is they are written by legal professionals, but not everyone in our society is a lawyer.  When doing compliance work, we always keep some key elements in mind, such as clarity, simplicity, and practicality, because we want our staff members and patients/residents to appreciate what the requirements and expectations are.

If the language of the rules seems vague or confusing, it will be hard for front-line staff to comprehend, thus further making it difficult to operationalize and ensure compliance.  When patients/residents don’t understand the HIPAA Rules and are applying them incorrectly, it can cause unnecessary tension between the patient/resident and the provider.  Clear, concise language would certainly help.  Moreover, practicality and feasibility should also be taken into consideration.  Sometimes, certain measures look wonderful on paper, but may not be realistic or have any pragmatic values in practice. The bottom line is: we all want to meet our residents’ needs.  The laws and regulations not only serve as guardrails and deterrence but should also be a resource, tool, and guide that can help all of us carry out our responsibilities in the most effective and efficient manner.

Do you have any predictions for the future of healthcare regulation?

As new risks and challenges continue to emerge, there will definitely be more rules and regulations concerning the practices in the healthcare industry – whether it is relating to the care that people receive or the technology that is used to assist with care delivery or information transmission.

Do you have any predictions for the future of healthcare technology?

Technology will become more advanced and will be able to assist healthcare providers with catching errors early on and rendering high-quality care to patients. It will be an indispensable tool in the healthcare sector.

The post Interview: J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group appeared first on HIPAA Journal.

Interview: Natalie Birindelli, Healthcare Engagement Advisor, Amazon Web Services

Natalie Birindelli, Healthcare Engagement Advisor at Amazon Web Services has shared her thoughts on HIPAA and how the legislation relates to her role and her career.

Tell the readers about your career in the healthcare industry

Experienced Healthcare Cybersecurity/Information Technology Leader with over 20 years in the hospital & healthcare industry. Skilled in Telehealth, Cybersecurity, Cloud Infrastructure, Communications, Education and Awareness, Program and Healthcare Management, Privacy with an innovative approach to implementing complex technical solutions.

What was your first position?

Medical Assistant/Billing Specialist at Elite OB-Gyn/Genetics Consultants of VA and MDElite OB-Gyn/Genetics Consultants of VA and MD for 6 years. Then worked at McLean, VAMcLean, VA, where I assisted a team of physicians with all aspects of patient care for multi-facilities including processing and submitting referrals, insurance claims and consultation letters, reconciling medical billing and follow through with insurance carriers, and I implemented the 1st EHR, Medisoft software, and trained all clinicians and staff.

What is your current position?

Healthcare Engagement Advisor. I provide cloud compliance advisory services for the healthcare industry through their cloud journey.

What are the main challenges in your position?

Mitigating concerns about cloud compliance in healthcare; the siloed landscape of health systems leads to redundancy and challenges in regard to ensuring compliance across outdated systems which were never developed to scale to today’s ever-evolving threat landscape.

Tell the readers about any significant event in your career.

I implemented a multi-million-dollar comprehensive cyber program which was the largest change transformation for a large international health system. Building trust, transparency and soliciting input from our clinicians was critical to its success. When the pandemic hit, the need for a technical resource with clinical background to implement acute care Telehealth was required and I stepped up to the challenge. The program was such a success, it became the gold standard across the health system, and I was presented with an award of excellence.

What products/services do you provide for the healthcare industry and what is unique about them?

I provide cloud compliance advisory services. Being on the operations side for over 20 years, understanding the nuances of the industry is invaluable to our customers as they face ongoing financial, organizational and threat intelligence challenges.

When did you first get involved with HIPAA compliance?

Straight out of high school, working for a physician practice, I was a medical assistant but also implemented and training providers on the EHR.

What are your main challenges regarding HIPAA?

Ensuring the unintentional disclosures are addressed, and remediated and controls are in place to mitigate.

What do you think needs to be improved in the HIPAA regulations?

Removing barriers to the more vulnerable populations that may not have the education or access to resources to help drive better outcomes.

Do you have any predictions for the future of HIPAA?

Increased alignment with GDPR regulations and more control to patients over access and sovereignty of that data.

Do you have any predictions for the future of healthcare regulation?

If anything, COVID has shown the healthcare industry it can pivot at an unprecedented rate. Innovation and technical barriers to social determinants of health will be addressed leading to more patient engagement and transparency for healthcare providers.

Do you have any predictions for the future of healthcare technology?

The use of AI/ML will mature over time and reduce unconscious bias as we look at improving outcomes and value-based care.

Do you have any predictions for the future of the healthcare industry?

Innovation, the use of smart technology to alleviate the administrative burden on extended IT staffs, and utilizing cloud technologies to improve compliance/risk posture will lead to better outcomes for patients, caregivers, and support staff.

The post Interview: Natalie Birindelli, Healthcare Engagement Advisor, Amazon Web Services appeared first on HIPAA Journal.

Interview: John Jessop, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

John Jessop, MHA, CISSP, CHPS, HCISPP, CISA, CMPE, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA has shared his thoughts.

John Jessop, MHA, CISSP, CHPS, HCISPP, CISA, CMPE, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA

Tell the readers about your career in the healthcare industry
I started my healthcare career as a lab tech back in 1982. Since then I received a Masters in Healthcare Administration from Baylor University, have worked in hospitals in a variety of roles from Facilities Management and Safety Management to Family Medicine Residency Program Administrator to VP of Physician Services, managed a number of physician practices, functioned as a healthcare software salesperson, worked as a consultant, was a VP of IT, and finally ended up as a Senior Director, HIPAA Security and Regulatory Compliance for a national corporation.

What was your first position?
My first position in healthcare was working in a hospital lab. After rotating through all lab sections, I focused in Microbiology, and then worked in the Morgue assisting in autopsies and doing Histocytology-related job functions. I found that I liked working in healthcare because of its mission, and wanted to try working in different areas in support of healthcare providers.

What is your current position?
At present, I am the Senior Director of HIPAA Security and Regulatory Compliance at a national healthcare organization, and work remotely for our Manhattan office. My office is responsible for keeping our affiliates informed regarding regulatory changes at both the Federal and State-levels. I lead our HIPAA Committee and Subcommittees (Privacy, Security, and Risk Management), and our Data Privacy Committee. I also participate in our Data Governance Committee and support our Enterprise Risk Management Committee.

What are the main challenges in your position?
The foremost challenge is HIPAA itself, and the lack of Federal guidance related to data privacy and security. HIPAA is extremely dated – it was drafted in 1994/5 and became a law in 1996. Prodigy and AOL were the major internet players then, and EHRs were not in widespread use. Most recently, HHS OCR issued an NPRM regarding a number of HIPAA Privacy Rule modifications in December 2020, and yet still nothing has changed. With respect to HIPAA Security, the 2021 HIPAA Safe Harbor Rule provides a mechanism for an organization to potentially lessen fines or penalties assessed by HHS OCR if an organization follows a recognized cybersecurity framework guide like the NIST Cyber Security Framework (CSF) or the 405(d) Committee’s Health Industry Cybersecurity Practices (HICP), but HIPAA still only has high-level, dated security guidance. We have had to push to implement policies and practices that are not spelled out under our guiding healthcare privacy and security regulation (aka HIPAA), a battle that requires ongoing leadership and Board education to ensure that appropriate budgetary support is secured. Having a law that we could point to would help us get what we need to ensure that our patient’s data is both secured and kept as private as is possible.

Are you working on any interesting projects?
We are implementing a privacy and security State and Federal legislation tracker that will be pushed out to all of our affiliates. It has been a fun project which pulls data from a third party into our data analytics platform, and then is posted to our corporate intranet.

When did you first get involved with HIPAA compliance?
My first HIPAA-related role was as a WEDI-SNIP Committee member for NH/VT back in 2000. We worked with the NH and VT Hospital Associations and Medical Group Management Association to help healthcare organizations become familiar with HIPAA, Administrative Simplification, and HIPAA Privacy requirements. When I worked as a consultant, I provided organizations with Privacy Policies and Security Manuals. I currently work with our Office of General Counsel elements, our State and Federal Policy Teams, our affiliates, and our IT/InfoSec Departments on HIPAA and other regulatory issues (like the 21st Century Cures Act, COPPA, the FTC Act, etc.).

What do you think needs to be improved in the HIPAA regulations?
The HIPAA Privacy Rule needs to be updated to reflect current industry concerns, such as privacy related to interoperability, protections around reproductive healthcare data, the role of social media in healthcare, the addition of new covered entities, addressing personal health applications, and changes related to data privacy management. The HIPAA Security Rule should be tied directly back to the 405(d) Program’s HICP or to the NIST Cybersecurity Framework. HIPAA Security Rule requirements should be far more prescriptive. Additionally, HHS OCR should be required to provide an annual update of the HHS OCR HIPAA Audit Protocols.

Do you have any predictions for the future of healthcare regulation?
HIPAA/HITECH and the 21st Century Cures Act will gradually be amended to come into complete congruence. I predict that there will eventually be a uniform data privacy act, but I only have 9 years to retirement so I may not see it. I think that there will be a strengthening of information security requirements across Critical Infrastructure Sectors primarily driven by financial pressures caused by the impact of ransomware. Here again, the States seem to be doing more in that area than the Federal government, but the security legislation is fairly haphazard and inconsistent across industries.

The post Interview: John Jessop, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA appeared first on HIPAA Journal.

Interview: Kimberly Heimback, Compliance Officer, WNY BloodCare

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

Kimberly Heimback, Compliance Officer, WNY BloodCare has shared her thoughts.

Kimberly Heimback, Compliance Officer, WNY BloodCare.

Tell the readers about any significant event in your career
When I came on board, the Corporate Compliance Program and Compliance Privacy & Security Programs were very limited. In less than three years, I have built the Compliance Plans, received by CHC, CHPC, and my Lean Six Sigma Green Belt.

What products/services do you provide for the healthcare industry and what is unique about them?
We provide comprehensive care for patients with bleeding disorders from birth to death.

When did you first get involved with HIPAA compliance?
When I began working in health insurance.

What are your main challenges regarding HIPAA?
Keeping up with all the regulations, laws, changes, and the risks of cyber security threats.

What do you think needs to be improved in the HIPAA regulations?
Lessen the restrictions on families assisting their loved ones with health issues and the barriers that get in the way.

Do you have any predictions for the future of HIPAA?
They are going to continue to get more stringent and more difficult to apply and manage.

Do you have any predictions for the future of healthcare regulation?
The doctors will be unable to treat patients using their expertise and qualifications because the payers limit the options and manage decisions based on money, rather than what is best for the patients.

Do you have any predictions for the future of the healthcare industry?
There will be less human interaction and more robotics.

Do you have anything else interesting to share with readers?
There is always something new to learn!

The post Interview: Kimberly Heimback, Compliance Officer, WNY BloodCare appeared first on HIPAA Journal.

Interview: Caroline Cook, Privacy Consultant, GDH Government Consulting Services

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

Caroline Cook, Privacy Consultant, GDH Government Consulting Services, has shared her thoughts

Tell the readers about your career in the healthcare industry

I’ve worked in healthcare for over 30 years. I’ve always been drawn to healthcare. As a teenager, I volunteered in hospitals and nursing homes. I earned a BA in Social Work and have spent the majority of my career working in acute care settings. My professional goals changed over time. I remained in acute care, transitioning to roles more specifically related to compliance. That led to my serving as the Privacy Officer for the hospital beginning with the implementation of the Privacy Rule. A few years later I served as the Chief Privacy Officer for a multi-facility health system. I then left acute care and began a career as a Privacy Consultant, obtaining three different certifications as an information privacy professional. I see my healthcare career as this amazing gift I’ve been given. It’s allowed me to be a part of this “realm” that is at its least described as an industry, but at its best is a combination of art, science, faith, technology, constant dedication, and compassionate intent. Everything in healthcare treatment and delivery is evolving quickly. It’s truly amazing. And, we’re only at the beginning.

What was your first position?

My first professional experience in healthcare was as a licensed social worker in an acute care hospital. My role included discharge planning, crisis intervention, facility placements, and case management. My role provided opportunities to work in outpatient, inpatient, and psychiatric care divisions, as well as opportunities for me to participate in compliance efforts, including the Joint Commission Readiness team, where I gained invaluable experience of compliance on a larger scale.

What is your current position?

I’m a Privacy Consultant employed by GDH Government Consulting Services. I’m currently on contract to a State Medicaid Agency’s Privacy Office. I’ve been in this role with the state agency for several years. I perform most of those duties performed in any healthcare privacy compliance office. This role has given me the opportunity to see the healthcare system from a very different perspective, that of payer and public service organization. I believe that puts me in the “thick of things” as far as the current healthcare landscape goes.

What are the main challenges in your position?

There are the usual challenges of budget, time, reluctance to let go of “the way we’ve always done it”, and the like. But the main challenge in this position, as in every position I’ve had over the years, is changing the cultural perception of compliance, not just information privacy and security compliance, but compliance as a whole. I believe the most successful way to achieve healthcare privacy and security compliance, successful interoperability, and genuine patient access and participation is by first understanding the primary goal is to provide the best healthcare delivered in the best way so we can help individuals, children, families live healthy and productive lives. It’s hard to move perceptions of compliance from the “avoidance of penalties” mode to the “pursuit of happiness” mode. But, that’s what has to happen if we want our healthcare workforce and compliance efforts to keep pace with the amazing technical evolution in healthcare.

Tell the readers about any significant event in your career

The most significant “event” in my career was a series of events really. I had gone into healthcare with the idea that I would always work and interact directly with patients and families. I thought that was the way I could make the biggest difference in the world. As I became more involved in compliance and other administrative efforts, I finally understood the critical part that those “behind the scene” folks play in making it all work. That made me think I could make a difference in bridging the gaps between the front lines and the administrators – something that has to happen when you want the best outcome for patients and families.

Are you working on any interesting projects?

There are so many projects underway currently. Medicaid modularity, health information exchange, patient access APIs and apps. In every project that touches personally identifiable information, we’re working to ensure privacy and security considerations are included at the initial planning stages. On a personal and professional level, I work hard to attend workgroup meetings virtually on several federal projects: TEFCA, Interoperability, WEDI Privacy and Security Workgroup. While I’ve done very little “work” on those projects, the ideas exchanged are helpful in understanding the short- and long-range vision.

When did you first get involved with HIPAA compliance?

In 2002 I was asked to lead the implementation of the Privacy Rule provisions at the acute care hospital where I worked. I accepted, but had no idea how much I didn’t know that I didn’t know. Most of my knowledge of HIPAA had been related to portability and the “prudent person” provision for emergency treatment. I definitely learned on the job. HIPAA isn’t a simple list of do’s and don’ts. I think most of us working with HIPAA now know that our understanding or interpretation of any Privacy Rule provision is always a work in progress. Continuous reading and discussion with colleagues is a must.

What are your main challenges regarding HIPAA?

HIPAA, specifically the Privacy Rule, has very little definitive provisions. Those that are in part definitive (or seem to be), are weakened by limited specific interpretive guidance. Some are made confusing, by other provisions that provide vague exceptions, or exceptions to exceptions, or seemingly theoretical applications. Professionals in my position have and continue to work within HIPAA enough to be confident in our interpretation. The challenge is taking that interpretation and making it more definitive yet flexible enough to apply it to everyday situations so we can properly train staff. Every day in every healthcare-related entity unique situations occur. Many just don’t “fit” with the generic examples provided in HIPAA guidance. The most important fact training should include is to pause and call for guidance before acting if you’re unsure whether a use, disclosure, or collection of information is permissible, and to what extent.

Do you have any predictions for the future of HIPAA?

I think, specific to privacy and security, HIPAA has served as the force that set things in motion. HIPAA is over 25 years old. Changes in every facet of healthcare have blown through HIPAA to the extent, in my opinion, that HIPAA actually impedes progress and possibly compliance with other related regulations. I think we’ll have “HIPAA” in some form forever, but not as it is now. The principles of information privacy and security are the same regardless of the industry or the sector of government oversight. But healthcare is a unique realm. Whether as a stand-alone regulatory Act or as a carve-out of a comprehensive federal law, there will be unique privacy and security regulations. Many of the current requirements were written based on manual processes. As technology continues to advance, definitive privacy and security requirement actions will be built into the tech (not referring to machine-decision making here) making some provisions obsolete. Some of the decisions programmed into the tech will require certain obsolete HIPAA provisions to be modified to allow individuals to opt-out of automated decision-making. Ideally, merging HIT, HIPAA, etc. regulations will occur as innovations make it feasible.

Do you have any predictions for the future of healthcare technology?

I doubt at this point we can conceive of just how far healthcare technology will evolve. The endless branches of what we call healthcare are already beginning to overlap. Innovations in technology and research will lead to more and more prevention/intervention before birth, before conception even, likely eradicating many of the health challenges we face today. On the other end of that spectrum will be advances that simplify and make safer treatment of illness/disease with better outcomes. Healthcare technology in the treatment of spinal injury paralysis, the development of prostheses, tremor control – all are already happening to a degree and will improve exponentially from now to….

Do you have any predictions for the future of the healthcare industry?

Not so much a prediction, but a hope. To truly provide quality healthcare to people, technology should be used and developed to the greatest extent possible, but should be done so as tools or resources that a knowledgeable, skilled, and compassionate healthcare practitioner can use in the art of practicing medicine.

The post Interview: Caroline Cook, Privacy Consultant, GDH Government Consulting Services appeared first on HIPAA Journal.