Interviews

Interview: Stacey A. Tovino, JD, PhD, William J. Alley Professor of Law, University of Oklahoma College of Law

HIPAA Journal is conducting interviews with healthcare professionals, compliance professionals, and industry service providers to find out more about how their experiences with HIPAA, their successes, and the challenges they have and continue to face with HIPAA compliance. This week, Stacey A. Tovino, JD, Ph.D., William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs, The University of Oklahoma College of Law, shared her thoughts.

Stacey A. Tovino, JD, Ph.D., William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs, The University of Oklahoma College of Law

Tell HIPAA Journal readers about your current position.

I currently serve as the William J. Alley Professor of Law and Director of Graduate Healthcare Law Programs at the University of Oklahoma College of Law. I am an elected member of the American Law Institute and an invited fellow of the American Bar Foundation. My current research focuses on privacy, security, and breach notification law and my privacy, security, and breach notification-related scholarship work is published in textbooks, casebooks, encyclopedias, law reviews, medical and science journals, and ethics and humanities journals, including Duke Law Journal (2022), Notre Dame Law Review (2019), Iowa Law Review (2019), and Alabama Law Review (2018).

What was your first position?

My first post-law school position was as an associate attorney at Vinson & Elkins in Houston, Texas.

What are the main challenges in your position?

My main challenges include keeping up with state law developments relating to privacy, security, and breach notification law.

Tell the readers about your career in the healthcare industry.

I have served as Chair of the AALS Section on Law and Mental Disability (2009), Chair of the AALS Section on Torts and Compensation Systems (2018), Chair of the AALS Section on Law, Medicine, and Health Care (2022), Chair-Elect of the AALS Section on Law and Mental Disability (2021-2022), Chair-Elect of the AALS Section on BioLaw (2021-2022), Chair-Elect of the AALS Section on Law and the Humanities (2022), Chair-Elect of the AALS Section on Law Professors with Disabilities and Allies (2022), and Executive Committee Member of the AALS Section on Teaching Methods (2020-2022).

Prior to joining the faculty at the University of Oklahoma College of Law, I served for a decade as the Judge Jack and Lulu Lehman Professor of Law and the Founding Director of the Health Law Program at the University of Nevada, Las Vegas (UNLV) William S. Boyd School of Law, and in 2019, I received UNLV’s Top Tier Award, an honor bestowed on faculty members who demonstrate excellence in all five areas of UNLV’s Top Tier Mission.

I have also served as Founding Director of the Health Law and Policy Center and Associate Professor of Law at Drake University Law School (2008-2010); Assistant Professor of Law at Hamline University School of Law (2006-2008); Visiting Assistant Professor, Research Professor, and Adjunct Professor at the University of Houston Law Center (2003-2006); and attorney in the Health Industries Group of the Houston office of the international law firm Vinson & Elkins (1997-2003).

During my practice, I have represented physicians, scientists, allied health professionals, general and special hospitals, academic medical centers, organ procurement organizations, blood banks, and nonprofit healthcare organizations in civil, regulatory, operational, and transactional matters. I am an enthusiastic teacher of HIPAA Privacy Law and earned law school-wide teaching awards in 2009, 2012, 2013, 2014, 2016, and 2020, as well as an OU College of Law Institutional Impact Award in 2021.

When did you first get involved with HIPAA compliance?

I attended law school at the University of Houston between 1994 and 1997. In August 1996, right at the start of my third year of law school, President Clinton signed HIPAA into law. HHS published its first proposed privacy rule in November 1999, shortly after I began practicing law. I have focused on HIPAA privacy matters my entire career.

Are you working on any interesting projects?

Yes. My most recent law review article focuses on the lack of HIPAA protections for student treatment records. Given that FERPA (the Family Educational Rights and Privacy Act) also excludes student treatment records from protection, leaving them only to state law, I am arguing that state law is insufficient to protect the sensitive and sometimes stigmatizing information in these records.

What do you think needs to be improved in the HIPAA regulations?

HIPAA needs to improve its protection of student treatment records and reproductive health information, just to name two.

Can you explain the current problem with student treatment records?

The HIPAA Privacy Rule’s use and disclosure requirements (45 C.F.R. 164.502-.514) and individual rights (45 C.F.R. 164.520-.528) only apply to protected health information (PHI). In addition, the HIPAA Security Rule’s administrative, physical, and technical safeguards only apply with respect to electronic PHI (ePHI). Moreover, the HIPAA Breach Notification Rule only applies to unsecured PHI (uPHI).

To be protected by any of the HIPAA Rules, then, there must be PHI. The catch is that the HIPAA Rules exclude “student treatment records” from the definition of PHI. (Student treatment records are defined to include the medical records created and maintained by university-owned student health centers about postsecondary students that are not disclosed for non-treatment purposes.) Moreover, the Family Educational Rights and Privacy Act (FERPA) also excludes student treatment records from the definition of education records. The result is that student treatment records are only protected by state law. Unfortunately, state facility licensing laws, state medical record privacy laws, state data security laws, state breach notification laws, and new state consumer data protection laws provide minimal, if any, protections for student treatment records due to relevant exceptions, including exceptions that apply to HIPAA covered entities, educational institutions, and/or student treatment records.

The result is that many student treatment records are only protected by antiquated privacy provisions set forth in state professional practice acts.  However, most state professional practice acts: (1) do not carefully or heavily regulate the use and disclosure of student treatment records; (2) do not provide students with comprehensive rights relating to their health information, including the right to receive a notice of privacy practices, the right to request additional privacy protections, the right to correct inaccurate medical record entries, the right to receive an accounting of disclosures, the right to be notified of privacy and security breaches, or the right to mitigation of harmful effects associated with such breaches; (3) do not require the implementation of administrative, physical, or technical safeguards designed to ensure that confidentiality, integrity, and availability of student health information; and (4) are not aggressively enforced (or enforceable) through stringent civil and criminal penalties, qui tam provisions, or private rights of action.

In a forthcoming article due to be published this year – Privacy for Student-Patients: A Call to Action, Stacey A. Tovino – I propose and justify amendments to the definition of protected health information under HIPAA and the definition of education records under FERPA. If my proposals are implemented by HHS and Congress, respectively, student treatment records will be protected by the HIPAA Rules at all times during their life span.

How do you feel HIPAA is failing to ensure the privacy of reproductive health information?

The HIPAA Privacy Rule currently treats reproductive health information like any other class of health information, including orthopedic information, dermatological information, or neurological information. Stated another way, reproductive health information is not specially protected under the HIPAA Privacy Rule. One idea is to apply heightened, or more stringent, confidentiality protections to reproductive health information. For example, the HIPAA Privacy Rule already provides heightened confidentiality protections to psychotherapy notes. Why not reproductive health information as well?

In particular, the HIPAA Privacy Rule prohibits covered entities from using or disclosing psychotherapy notes without the patient’s prior written authorization for any payment purposes under 45 C.F.R. § 164.506(c)(1) and (3); for treatment purposes under 45 C.F.R. § 164.506(c)(2); for law enforcement purposes under 45 C.F.R. 164.512(f)); and for most judicial and administrative proceedings purposes under 45 C.F.R. 164.512(e). See 45 C.F.R. 164.508(a)(2) (setting forth the only situations in which a covered entity may use or disclose psychotherapy notes without patient authorization). In an article that is forthcoming in the Cardozo Law Review – Confidentiality Over Privacy, Stacey A. Tovino, 44 Cardozo L. Rev. 101 – I show how these special protections could be applied to reproductive health information as well.

Do you have any predictions for the future of HIPAA?

I am looking forward to HHS regulations that will address whether patients injured by privacy violations can serve as qui tam plaintiffs and recover a portion of the settlements or penalties recovered by HHS.

The post Interview: Stacey A. Tovino, JD, PhD, William J. Alley Professor of Law, University of Oklahoma College of Law appeared first on HIPAA Journal.

Interview: J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group

HIPAA Journal is conducting interviews with healthcare professionals and vendors to get their points of view on HIPAA, how the legislation relates to their roles, and the successes and challenges they face with HIPAA compliance. This week, J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group, shared her thoughts.

J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group

Tell the readers about your career in the healthcare industry

I currently serve as the Chief Compliance Officer for Saber Healthcare Group – one of the largest long-term care providers in the nation. As a long-term care provider with more than 120 facilities in the nation (including skilled nursing facilities and assisted living facilities), we provide individualized care to patients and residents in seven states.

What was your first position?

I worked as an attorney at a law firm.

When did you first get involved in HIPAA compliance?

When I was practicing law and advising corporate and individual clients on various legal matters, HIPAA compliance issues would come up from time to time.  When I first assumed the current role, HIPAA compliance was part of the compliance department’s responsibility.  So naturally, I took on the task, and have been managing our organization’s HIPAA compliance since then.

What attracted you to further your career in compliance?

I love what I do and I am passionate about compliance work.  As people can imagine, compliance is not an easy field and it is full of roadblocks and challenges, but that makes it exciting too because the risk landscape is constantly evolving, which requires compliance professionals to adapt, adjust, assess, reflect, and improve.  Furthermore, compliance work is important.

What are the main challenges in your position?

Keeping up with emerging risks, operationalizing legal and regulatory requirements and incorporating them into daily practices and processes, maintaining the compliance momentum, and fostering a culture of compliance.

What are your main challenges regarding HIPAA?

Operationalizing the legal and regulatory requirements, making the rules easy to understand for everyone in the workforce, and continuing to heighten employees’ awareness of the HIPAA Rules and the importance of HIPAA compliance.

What do you think needs to be improved in the HIPAA regulations?

I think it is safe to say laws and regulations are not the world’s most interesting or digestible thing for people to read.  The reality is they are written by legal professionals, but not everyone in our society is a lawyer.  When doing compliance work, we always keep some key elements in mind, such as clarity, simplicity, and practicality, because we want our staff members and patients/residents to appreciate what the requirements and expectations are.

If the language of the rules seems vague or confusing, it will be hard for front-line staff to comprehend, thus further making it difficult to operationalize and ensure compliance.  When patients/residents don’t understand the HIPAA Rules and are applying them incorrectly, it can cause unnecessary tension between the patient/resident and the provider.  Clear, concise language would certainly help.  Moreover, practicality and feasibility should also be taken into consideration.  Sometimes, certain measures look wonderful on paper, but may not be realistic or have any pragmatic values in practice. The bottom line is: we all want to meet our residents’ needs.  The laws and regulations not only serve as guardrails and deterrence but should also be a resource, tool, and guide that can help all of us carry out our responsibilities in the most effective and efficient manner.

Do you have any predictions for the future of healthcare regulation?

As new risks and challenges continue to emerge, there will definitely be more rules and regulations concerning the practices in the healthcare industry – whether it is relating to the care that people receive or the technology that is used to assist with care delivery or information transmission.

Do you have any predictions for the future of healthcare technology?

Technology will become more advanced and will be able to assist healthcare providers with catching errors early on and rendering high-quality care to patients. It will be an indispensable tool in the healthcare sector.

The post Interview: J. Veronica Xu, Chief Compliance Officer, Saber Healthcare Group appeared first on HIPAA Journal.

Interview: Natalie Birindelli, Healthcare Engagement Advisor, Amazon Web Services

Natalie Birindelli, Healthcare Engagement Advisor at Amazon Web Services has shared her thoughts on HIPAA and how the legislation relates to her role and her career.

Tell the readers about your career in the healthcare industry

Experienced Healthcare Cybersecurity/Information Technology Leader with over 20 years in the hospital & healthcare industry. Skilled in Telehealth, Cybersecurity, Cloud Infrastructure, Communications, Education and Awareness, Program and Healthcare Management, Privacy with an innovative approach to implementing complex technical solutions.

What was your first position?

Medical Assistant/Billing Specialist at Elite OB-Gyn/Genetics Consultants of VA and MDElite OB-Gyn/Genetics Consultants of VA and MD for 6 years. Then worked at McLean, VAMcLean, VA, where I assisted a team of physicians with all aspects of patient care for multi-facilities including processing and submitting referrals, insurance claims and consultation letters, reconciling medical billing and follow through with insurance carriers, and I implemented the 1st EHR, Medisoft software, and trained all clinicians and staff.

What is your current position?

Healthcare Engagement Advisor. I provide cloud compliance advisory services for the healthcare industry through their cloud journey.

What are the main challenges in your position?

Mitigating concerns about cloud compliance in healthcare; the siloed landscape of health systems leads to redundancy and challenges in regard to ensuring compliance across outdated systems which were never developed to scale to today’s ever-evolving threat landscape.

Tell the readers about any significant event in your career.

I implemented a multi-million-dollar comprehensive cyber program which was the largest change transformation for a large international health system. Building trust, transparency and soliciting input from our clinicians was critical to its success. When the pandemic hit, the need for a technical resource with clinical background to implement acute care Telehealth was required and I stepped up to the challenge. The program was such a success, it became the gold standard across the health system, and I was presented with an award of excellence.

What products/services do you provide for the healthcare industry and what is unique about them?

I provide cloud compliance advisory services. Being on the operations side for over 20 years, understanding the nuances of the industry is invaluable to our customers as they face ongoing financial, organizational and threat intelligence challenges.

When did you first get involved with HIPAA compliance?

Straight out of high school, working for a physician practice, I was a medical assistant but also implemented and training providers on the EHR.

What are your main challenges regarding HIPAA?

Ensuring the unintentional disclosures are addressed, and remediated and controls are in place to mitigate.

What do you think needs to be improved in the HIPAA regulations?

Removing barriers to the more vulnerable populations that may not have the education or access to resources to help drive better outcomes.

Do you have any predictions for the future of HIPAA?

Increased alignment with GDPR regulations and more control to patients over access and sovereignty of that data.

Do you have any predictions for the future of healthcare regulation?

If anything, COVID has shown the healthcare industry it can pivot at an unprecedented rate. Innovation and technical barriers to social determinants of health will be addressed leading to more patient engagement and transparency for healthcare providers.

Do you have any predictions for the future of healthcare technology?

The use of AI/ML will mature over time and reduce unconscious bias as we look at improving outcomes and value-based care.

Do you have any predictions for the future of the healthcare industry?

Innovation, the use of smart technology to alleviate the administrative burden on extended IT staffs, and utilizing cloud technologies to improve compliance/risk posture will lead to better outcomes for patients, caregivers, and support staff.

The post Interview: Natalie Birindelli, Healthcare Engagement Advisor, Amazon Web Services appeared first on HIPAA Journal.

Interview: John Jessop, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

John Jessop, MHA, CISSP, CHPS, HCISPP, CISA, CMPE, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA has shared his thoughts.

John Jessop, MHA, CISSP, CHPS, HCISPP, CISA, CMPE, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA

Tell the readers about your career in the healthcare industry
I started my healthcare career as a lab tech back in 1982. Since then I received a Masters in Healthcare Administration from Baylor University, have worked in hospitals in a variety of roles from Facilities Management and Safety Management to Family Medicine Residency Program Administrator to VP of Physician Services, managed a number of physician practices, functioned as a healthcare software salesperson, worked as a consultant, was a VP of IT, and finally ended up as a Senior Director, HIPAA Security and Regulatory Compliance for a national corporation.

What was your first position?
My first position in healthcare was working in a hospital lab. After rotating through all lab sections, I focused in Microbiology, and then worked in the Morgue assisting in autopsies and doing Histocytology-related job functions. I found that I liked working in healthcare because of its mission, and wanted to try working in different areas in support of healthcare providers.

What is your current position?
At present, I am the Senior Director of HIPAA Security and Regulatory Compliance at a national healthcare organization, and work remotely for our Manhattan office. My office is responsible for keeping our affiliates informed regarding regulatory changes at both the Federal and State-levels. I lead our HIPAA Committee and Subcommittees (Privacy, Security, and Risk Management), and our Data Privacy Committee. I also participate in our Data Governance Committee and support our Enterprise Risk Management Committee.

What are the main challenges in your position?
The foremost challenge is HIPAA itself, and the lack of Federal guidance related to data privacy and security. HIPAA is extremely dated – it was drafted in 1994/5 and became a law in 1996. Prodigy and AOL were the major internet players then, and EHRs were not in widespread use. Most recently, HHS OCR issued an NPRM regarding a number of HIPAA Privacy Rule modifications in December 2020, and yet still nothing has changed. With respect to HIPAA Security, the 2021 HIPAA Safe Harbor Rule provides a mechanism for an organization to potentially lessen fines or penalties assessed by HHS OCR if an organization follows a recognized cybersecurity framework guide like the NIST Cyber Security Framework (CSF) or the 405(d) Committee’s Health Industry Cybersecurity Practices (HICP), but HIPAA still only has high-level, dated security guidance. We have had to push to implement policies and practices that are not spelled out under our guiding healthcare privacy and security regulation (aka HIPAA), a battle that requires ongoing leadership and Board education to ensure that appropriate budgetary support is secured. Having a law that we could point to would help us get what we need to ensure that our patient’s data is both secured and kept as private as is possible.

Are you working on any interesting projects?
We are implementing a privacy and security State and Federal legislation tracker that will be pushed out to all of our affiliates. It has been a fun project which pulls data from a third party into our data analytics platform, and then is posted to our corporate intranet.

When did you first get involved with HIPAA compliance?
My first HIPAA-related role was as a WEDI-SNIP Committee member for NH/VT back in 2000. We worked with the NH and VT Hospital Associations and Medical Group Management Association to help healthcare organizations become familiar with HIPAA, Administrative Simplification, and HIPAA Privacy requirements. When I worked as a consultant, I provided organizations with Privacy Policies and Security Manuals. I currently work with our Office of General Counsel elements, our State and Federal Policy Teams, our affiliates, and our IT/InfoSec Departments on HIPAA and other regulatory issues (like the 21st Century Cures Act, COPPA, the FTC Act, etc.).

What do you think needs to be improved in the HIPAA regulations?
The HIPAA Privacy Rule needs to be updated to reflect current industry concerns, such as privacy related to interoperability, protections around reproductive healthcare data, the role of social media in healthcare, the addition of new covered entities, addressing personal health applications, and changes related to data privacy management. The HIPAA Security Rule should be tied directly back to the 405(d) Program’s HICP or to the NIST Cybersecurity Framework. HIPAA Security Rule requirements should be far more prescriptive. Additionally, HHS OCR should be required to provide an annual update of the HHS OCR HIPAA Audit Protocols.

Do you have any predictions for the future of healthcare regulation?
HIPAA/HITECH and the 21st Century Cures Act will gradually be amended to come into complete congruence. I predict that there will eventually be a uniform data privacy act, but I only have 9 years to retirement so I may not see it. I think that there will be a strengthening of information security requirements across Critical Infrastructure Sectors primarily driven by financial pressures caused by the impact of ransomware. Here again, the States seem to be doing more in that area than the Federal government, but the security legislation is fairly haphazard and inconsistent across industries.

The post Interview: John Jessop, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA appeared first on HIPAA Journal.

Interview: Kimberly Heimback, Compliance Officer, WNY BloodCare

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

Kimberly Heimback, Compliance Officer, WNY BloodCare has shared her thoughts.

Kimberly Heimback, Compliance Officer, WNY BloodCare.

Tell the readers about any significant event in your career
When I came on board, the Corporate Compliance Program and Compliance Privacy & Security Programs were very limited. In less than three years, I have built the Compliance Plans, received by CHC, CHPC, and my Lean Six Sigma Green Belt.

What products/services do you provide for the healthcare industry and what is unique about them?
We provide comprehensive care for patients with bleeding disorders from birth to death.

When did you first get involved with HIPAA compliance?
When I began working in health insurance.

What are your main challenges regarding HIPAA?
Keeping up with all the regulations, laws, changes, and the risks of cyber security threats.

What do you think needs to be improved in the HIPAA regulations?
Lessen the restrictions on families assisting their loved ones with health issues and the barriers that get in the way.

Do you have any predictions for the future of HIPAA?
They are going to continue to get more stringent and more difficult to apply and manage.

Do you have any predictions for the future of healthcare regulation?
The doctors will be unable to treat patients using their expertise and qualifications because the payers limit the options and manage decisions based on money, rather than what is best for the patients.

Do you have any predictions for the future of the healthcare industry?
There will be less human interaction and more robotics.

Do you have anything else interesting to share with readers?
There is always something new to learn!

The post Interview: Kimberly Heimback, Compliance Officer, WNY BloodCare appeared first on HIPAA Journal.

Interview: Caroline Cook, Privacy Consultant, GDH Government Consulting Services

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

Caroline Cook, Privacy Consultant, GDH Government Consulting Services, has shared her thoughts

Tell the readers about your career in the healthcare industry

I’ve worked in healthcare for over 30 years. I’ve always been drawn to healthcare. As a teenager, I volunteered in hospitals and nursing homes. I earned a BA in Social Work and have spent the majority of my career working in acute care settings. My professional goals changed over time. I remained in acute care, transitioning to roles more specifically related to compliance. That led to my serving as the Privacy Officer for the hospital beginning with the implementation of the Privacy Rule. A few years later I served as the Chief Privacy Officer for a multi-facility health system. I then left acute care and began a career as a Privacy Consultant, obtaining three different certifications as an information privacy professional. I see my healthcare career as this amazing gift I’ve been given. It’s allowed me to be a part of this “realm” that is at its least described as an industry, but at its best is a combination of art, science, faith, technology, constant dedication, and compassionate intent. Everything in healthcare treatment and delivery is evolving quickly. It’s truly amazing. And, we’re only at the beginning.

What was your first position?

My first professional experience in healthcare was as a licensed social worker in an acute care hospital. My role included discharge planning, crisis intervention, facility placements, and case management. My role provided opportunities to work in outpatient, inpatient, and psychiatric care divisions, as well as opportunities for me to participate in compliance efforts, including the Joint Commission Readiness team, where I gained invaluable experience of compliance on a larger scale.

What is your current position?

I’m a Privacy Consultant employed by GDH Government Consulting Services. I’m currently on contract to a State Medicaid Agency’s Privacy Office. I’ve been in this role with the state agency for several years. I perform most of those duties performed in any healthcare privacy compliance office. This role has given me the opportunity to see the healthcare system from a very different perspective, that of payer and public service organization. I believe that puts me in the “thick of things” as far as the current healthcare landscape goes.

What are the main challenges in your position?

There are the usual challenges of budget, time, reluctance to let go of “the way we’ve always done it”, and the like. But the main challenge in this position, as in every position I’ve had over the years, is changing the cultural perception of compliance, not just information privacy and security compliance, but compliance as a whole. I believe the most successful way to achieve healthcare privacy and security compliance, successful interoperability, and genuine patient access and participation is by first understanding the primary goal is to provide the best healthcare delivered in the best way so we can help individuals, children, families live healthy and productive lives. It’s hard to move perceptions of compliance from the “avoidance of penalties” mode to the “pursuit of happiness” mode. But, that’s what has to happen if we want our healthcare workforce and compliance efforts to keep pace with the amazing technical evolution in healthcare.

Tell the readers about any significant event in your career

The most significant “event” in my career was a series of events really. I had gone into healthcare with the idea that I would always work and interact directly with patients and families. I thought that was the way I could make the biggest difference in the world. As I became more involved in compliance and other administrative efforts, I finally understood the critical part that those “behind the scene” folks play in making it all work. That made me think I could make a difference in bridging the gaps between the front lines and the administrators – something that has to happen when you want the best outcome for patients and families.

Are you working on any interesting projects?

There are so many projects underway currently. Medicaid modularity, health information exchange, patient access APIs and apps. In every project that touches personally identifiable information, we’re working to ensure privacy and security considerations are included at the initial planning stages. On a personal and professional level, I work hard to attend workgroup meetings virtually on several federal projects: TEFCA, Interoperability, WEDI Privacy and Security Workgroup. While I’ve done very little “work” on those projects, the ideas exchanged are helpful in understanding the short- and long-range vision.

When did you first get involved with HIPAA compliance?

In 2002 I was asked to lead the implementation of the Privacy Rule provisions at the acute care hospital where I worked. I accepted, but had no idea how much I didn’t know that I didn’t know. Most of my knowledge of HIPAA had been related to portability and the “prudent person” provision for emergency treatment. I definitely learned on the job. HIPAA isn’t a simple list of do’s and don’ts. I think most of us working with HIPAA now know that our understanding or interpretation of any Privacy Rule provision is always a work in progress. Continuous reading and discussion with colleagues is a must.

What are your main challenges regarding HIPAA?

HIPAA, specifically the Privacy Rule, has very little definitive provisions. Those that are in part definitive (or seem to be), are weakened by limited specific interpretive guidance. Some are made confusing, by other provisions that provide vague exceptions, or exceptions to exceptions, or seemingly theoretical applications. Professionals in my position have and continue to work within HIPAA enough to be confident in our interpretation. The challenge is taking that interpretation and making it more definitive yet flexible enough to apply it to everyday situations so we can properly train staff. Every day in every healthcare-related entity unique situations occur. Many just don’t “fit” with the generic examples provided in HIPAA guidance. The most important fact training should include is to pause and call for guidance before acting if you’re unsure whether a use, disclosure, or collection of information is permissible, and to what extent.

Do you have any predictions for the future of HIPAA?

I think, specific to privacy and security, HIPAA has served as the force that set things in motion. HIPAA is over 25 years old. Changes in every facet of healthcare have blown through HIPAA to the extent, in my opinion, that HIPAA actually impedes progress and possibly compliance with other related regulations. I think we’ll have “HIPAA” in some form forever, but not as it is now. The principles of information privacy and security are the same regardless of the industry or the sector of government oversight. But healthcare is a unique realm. Whether as a stand-alone regulatory Act or as a carve-out of a comprehensive federal law, there will be unique privacy and security regulations. Many of the current requirements were written based on manual processes. As technology continues to advance, definitive privacy and security requirement actions will be built into the tech (not referring to machine-decision making here) making some provisions obsolete. Some of the decisions programmed into the tech will require certain obsolete HIPAA provisions to be modified to allow individuals to opt-out of automated decision-making. Ideally, merging HIT, HIPAA, etc. regulations will occur as innovations make it feasible.

Do you have any predictions for the future of healthcare technology?

I doubt at this point we can conceive of just how far healthcare technology will evolve. The endless branches of what we call healthcare are already beginning to overlap. Innovations in technology and research will lead to more and more prevention/intervention before birth, before conception even, likely eradicating many of the health challenges we face today. On the other end of that spectrum will be advances that simplify and make safer treatment of illness/disease with better outcomes. Healthcare technology in the treatment of spinal injury paralysis, the development of prostheses, tremor control – all are already happening to a degree and will improve exponentially from now to….

Do you have any predictions for the future of the healthcare industry?

Not so much a prediction, but a hope. To truly provide quality healthcare to people, technology should be used and developed to the greatest extent possible, but should be done so as tools or resources that a knowledgeable, skilled, and compassionate healthcare practitioner can use in the art of practicing medicine.

The post Interview: Caroline Cook, Privacy Consultant, GDH Government Consulting Services appeared first on HIPAA Journal.

Interview: Erich Scheunemann, Assistant Fire Chief, Anchorage Fire Department

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance. This week, Erich Scheunemann, Assistant Fire Chief for the Anchorage Fire Department in Alaska shares his thoughts.

Erich Scheunemann, Assistant Fire Chief, Anchorage Fire Department (Alaska)

Tell the readers about your career in the healthcare industry

I have served over 32 years in EMS and the Fire Service within a variety of public, private, volunteer, and contract agencies. I’ve been employed with the Anchorage Fire Department since 1998, holding numerous positions within the department including Firefighter/Paramedic, EMS Battalion Chief, Assistant Fire Chief, Training Chief, Chief of EMS, Health & Safety Officer, and Chief of Mobile Integrated Healthcare. I have Associate and Bachelor of Science degrees in Fire Service Administration, am a licensed Paramedic, and am certified as a Fire Service Instructor, Ambulance Compliance Officer, Ambulance Privacy Officer, and Peer Support Specialist. I’m also a member of the Alaska Maternal and Child Death Review Committee and the Alaska EMS Medical Direction Committee, as well as a volunteer group leader/peer supporter with the Southcentral Foundation Family Wellness Warrior Soldier’s Heart Post-Traumatic Stress training program for first responders and combat veterans.

What was your first position?

My first position(s) in Fire/EMS occurred after graduating from high school and while starting college. I obtained my Emergency Medical Technician certification as an elective college course and began working as an EMT for a basic life support service in Anchorage whose duty was to respond to public inebriates, assess them for medical needs, and then either take them to a sobering center, the hospital for medical clearance, or call for an advanced life support ambulance if needed. I was also a volunteer firefighter/EMT in my hometown north of Anchorage as well.

What is your current position?

I am an Assistant Fire Chief with the Anchorage Fire Department within our Operations Division. My current duties are Chief of EMS Operations, Health and Safety Officer, and Chief of Mobile Integrated Healthcare. My subordinates include an EMS QA/QI Officer, EMS Compliance Officer, three work shift Incident Safety Officers, and the AFD Mobile Crisis Team (911 behavioral health response team with a firefighter/paramedic and licensed behavioral health clinician).

What are the main challenges in your position?

Multiple areas of responsibility and a lack of resources. For a metro-sized public safety service, each of my “hats” that I wear should be an individual position, not shared responsibilities by one individual. As an Assistant Fire Chief, I also have other duties as assigned including strategic planning, internal/external stakeholders, finances, and strings of unending meetings. As my subordinates are just as busy it is easy to become overwhelmed and behind in project work.

Tell the readers about any significant event in your career.

Early in my career, I was a witness (as the EMS provider on an incident) in a federal trial that involved traveling to three different U.S. states over a period of several years to testify in court. This was a solid introduction to the importance of documentation in healthcare records and how details make all the difference, especially to assist when having to recall them years later.

Are you working on any interesting projects?

My EMS QA/QI officer and I are currently involved with a year-long national project to evaluate and safely reduce the use of lights and sirens on ambulances with the goal to update our current policies and procedures for triaging when ambulances should use these warning signals when responding to incidents or transporting patients to the hospitals. I am also involved in the early stages of a discussion to bring an IRB-approved prehospital medication trial into our EMS service.

When did you first get involved with HIPAA compliance?

I became our department’s Privacy Officer when one of my subordinates at the time, an EMS Battalion Chief designated as such, retired in 2015. As Chief of EMS, HIPAA fell within my domain, so I was actively involved in policy development and training well before that. I had long identified the need for a dedicated EMS Compliance Officer position and during a reorganization in 2020 I was able to pass my Privacy Officer duties to the new position.

What are your main challenges regarding HIPAA?

A large public safety organization that is a covered entity presents many unique challenges with HIPAA. While all EMTs and paramedics receive the training as part of their initial certifications, and upon hire into my organization and with an annual refresher henceforth, reinforcing sound practices within such a large organization with multiple reporting systems and databases, plus billing for services, is a challenge at best.

What do you think needs to be improved in the HIPAA regulations?

Some of the proposed HIPAA regulation changes, once a final rule has been made, will be a move in the right direction (specifically in regard to changes with the notice of privacy practices and increasing the ability to share PHI for behavioral health care). As with any governmental regulation, any clarification of current language is always helpful. And eliminate the use of fax machines for the transmission of PHI documents.

Do you have any predictions for the future of HIPAA?

My hope is future regulatory changes can be made to ease the complexity of the program for the end user and customer.

Do you have any predictions for the future of healthcare regulation?

Unfortunately, with ever-changing information sharing and storage technology and the complexities within the world of privacy protection and practices, I do not see future healthcare regulations becoming any easier to navigate through.

Do you have any predictions for the future of healthcare technology?

More automation of healthcare technological systems including AI integration into not only daily operations but also into research and predictive analysis within healthcare in general.

Do you have any predictions for the future of the healthcare industry?

Science, technology, and evidence-based patient care will be the continuing drivers of healthcare throughout the rest of this century. But against this progress will be the calamities of climate change, the emergence of novel diseases, and other environmental and human-caused marginalization, disasters, and war that will continue to negatively impact global health and significantly impact its healthcare systems.

Do you have anything else interesting to share with readers?

Thank you, HIPAA Journal, for this opportunity. Lastly, if you have never been to Alaska, I strongly encourage a bucket list trip to the 49th state. Whether by cruise line, plane, train, car, bicycle, or hiking, the wilderness is boundless here and well worth the visit at least once!

The post Interview: Erich Scheunemann, Assistant Fire Chief, Anchorage Fire Department appeared first on HIPAA Journal.

Interview: Nathanael Ayala, Compliance Officer, Hospital San Carlos Borromeo, Puerto Rico

HIPAA Journal is conducting interviews with healthcare professionals to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes of HIPAA compliance and the challenges they have faced.

The first HIPAA Journal Reader to share his views on HIPAA is Nathanael Ayala, Compliance Officer at Hospital San Carlos Borromeo in Puerto Rico.

Tell HIPAA Journal readers about your career in the healthcare industry

My healthcare career has been an adventure since the beginning. I started by graduating as a graduated nurse from El Colegio (University of Puerto Rico, Mayaguez Campus).

What was your first position?

My first position was as an Emergency Room per diem nurse. 3 months after my first position, I started working full-time as a telephone triage nurse with a health plan health advice service line. I kept the per diem job and I spent 1 year and a few months working both jobs.

What is your current position?

I’m now a full-time Compliance Officer with Hospital San Carlos Borromeo in Moca, Puerto Rico.

What are the main challenges in your position?

My position was not in full effect previous to my arrival in the Hospital because Compliance was handled by another department. So, one of the main challenges has been appropriately developing all seven elements of a compliance program within the fabric of the organization, though I have full support from BOD and the Executive Director.

Tell HIPAA Journal readers about any significant event in your career.

There have been many significant events in my career. 7 months into my full time as a telephone advice nurse I filled in a vacant position as supervisor of a post-discharge monitoring program which I did for almost 2 years when I got promoted to call center Service Manager. One year later, I finished my Master’s Degree in Health Services Administration and got promoted to Service Director.

When did you first get involved with HIPAA compliance?

As a Service Manager/Director, I got passionate about the Health Care Compliance field and started researching and studying about it. A few months into being a Director I got certified with the HCCA CCB as Certified in Healthcare Compliance (CHC).

What are your main challenges regarding HIPAA?

I think the main challenge I often see is that people, even professionals and providers in the healthcare field, do not really comprehend what HIPAA means and stands for.

Do you have any predictions for the future of healthcare regulation?

The healthcare regulatory landscape is very deep and difficult with new rules and regulations each year. Some are vague and need clarification. That’s something regulators should improve.

Do you have any predictions for the future of healthcare technology?

With ever-changing technology, it is very difficult to keep up to date. The HIPAA Security Rule should include its own frameworks, and implementation guidance for administrative, technical and physical safeguards, and not solely refer providers or professionals to NIST or other frameworks.

Do you have anything else interesting to share with readers?

Thank you HIPAA Journal for this space to share my story and my thoughts with your readers. I’m looking forward to reading those fantastic stories that other healthcare professionals are sharing with this community.

If you would like to feature in HIPAA Journal and share your experiences with others, please visit this page.

The post Interview: Nathanael Ayala, Compliance Officer, Hospital San Carlos Borromeo, Puerto Rico appeared first on HIPAA Journal.