Building a next-generation privacy operation
Last month, Matt Fisher, a partner at Mirick O’Connell and chair of the firm’s health law group, joined Robert Lord, Co-Founder and President of Protenus, for a webinar to discuss best practices healthcare organizations can employ when migrating from reactive to proactive privacy postures, and how to integrate guidance from regulatory bodies into these practices.
Moving to a data-driven proactive privacy approach
Matt works with different types of healthcare organizations every day, giving him a breadth of exposure to the range of challenges they face when reforming their patient privacy postures. For example, he noted that small community hospitals and large academic medical centers often face distinct constraints and challenges when implementing new compliance programs.
He also described a trend with a scope beyond patient privacy but one that is also affecting this realm: a growing number of organizations implementing and using tools that allow them to “extract meaning from their data” amidst the current “explosion” of healthcare data. This “explosion,” as Matt noted, is producing a quantity of data that makes manual analytical processes no longer viable. He explained how artificial intelligence automates these once manual, lower value activities to healthcare workers to focus their time on more strategic questions.
However, Matt also shared some of the challenges he has seen healthcare systems face when evaluating new technologies. He explained that he would like to see more thought given to how new technologies will change existing workflows before diving into implementation phases. For example, many healthcare organizations roll out privacy monitoring tools but struggle with how to address the results, and once they’re aware of privacy issues, they can’t deliberately ignore them. There needs to be a more thoughtful understanding of the workflow required to respond to the results before the implementation of these monitoring solutions begins.
What we can learn from OCR
As a healthcare compliance lawyer, Matt spends a lot of time helping healthcare organizations interpret and meet OCR standards. He had some insightful comments on what we can expect in 2018 from looking at their activity from previous years while also identifying an important caveat in this logic.
Before last year, there was a fairly steady stream of approximately a dozen enforcement actions from OCR per year. However, with the arrival of the new administration in January 2017, there was very little action in the latter half of last year, and there has been one announcement in 2018. The point is that more recently, it’s been more difficult to predict what’s coming. Matt noted that perhaps when the administration settles in, greater consistency will be restored. Regardless, Matt stressed that there has been a lot of guidance coming out that is helpful in terms of helping people that are not way in the weeds about what they need to do under HIPAA, and that anything about what OCR is focusing is great industry knowledge.
At the end of their conversation, Robert asked Matt about two things he would encourage compliance teams to focus on in 2018. Matt expressed that privacy awareness trainings that are more robust than an annual one should be a key component of any compliance team’s 2018 efforts, and that he would like to see better collaboration between organizations, which is necessary if we’re going to succeed in building and implementing new models of care.