Podcast: An Expert's Advice for Tackling Your Organization's Risks

Podcast: An Expert's Advice for Tackling Your Organization's Risks

Posted by Marcie Swenson
Jul 12, 2018 10:36:59 AM

We kicked off this episode of Compliance Conversations with a guest host, our very own compliance expert, Marcie Swenson, and a great guest, Emily Haley, who has worked as a Chief Privacy Officer and Compliance Director at Intermountain Healthcare and is currently working in Care Transformation. In the first half of the show, Haley gave us a full fledged rundown on gap analysis, risk analysis and risk management plans. In the second half of the show, we dove unapologetically into the OCR’s phase 2 desk audits and protecting PHI.

“Everybody is familiar with OCR’s phase 2 desk audits, where they audited 63 covered entities...and 40 something business associates. They used a scale 1 through 5, 1 being the very best risk analysis or risk management plan, and 5 being the very worst...more than half both business associates and the covered entities had scored a 4 and a 5. A 4 and a 5. Based on that, that’s quite shocking. That means most of us are not doing the right things.”

What did it the results of the phase 2 audits mean? Did these entities not know what to do? Did everyone take a stab in the dark and guess wrong? It’s 2018 and we have a 2010 guidance document from the OCR. The document is vague and kind of dated. So what can all of us do to mitigate our risks, despite the vague and outdated guidelines?

Tune into our latest episode of Compliance Conversations, Smart Strategies to Holistically Tackle Your Organization’s Risks, with guest host Marcie Swenson. In this podcast we’ll cover how every department must work together to reduce risks, risk analysis is dependent on gap analysis and management plans, and how to mitigate the lack of updated risk analysis information from the OCR.

Listen Now >>

Episode Transcript

Woman’s Voice: You are listening to the Compliance Conversations podcast by Healthicity. If you work in the healthcare industry you know how crucial compliance is to your bottom line, your reputation, and the success of your organization. If this is your first time listening, welcome. A transcript of every Compliance Conversation episode can be found at www.healthicity.com/resources along with a ton of other thought leadership resources and materials. You can add us to your RSS feed and iTunes or follow us on Twitter or Facebook.

Woman’s Voice: Compliance Conversations is sponsored by Healthicity. Healthicity designs software and services that simplify compliance and auditing challenges that reduce your risk and save you money. Where others see complexity, we see simplicity. For more information, visit Healthicity.com.

Marcie: Hi, welcome to todays podcast, this is Marcie Swenson, Vice President of Compliance for Healthicity, and I am replacing CJ, your usual host, for the day. I am excited to be here, and I also have Emily Haley with me here. Welcome Emily.

Emily: Hi.

Marcie: Let me give a little introduction of Emily, and we’ll ask her a few more questions about her experience. Emily, after completing a bachelors in English literature Emily worked as a physician recruiter, and then returned to law school and completed her Juris Doctorate. After graduating, she practiced law in Colorado and Utah, before joining the legal department of Deseret Mutual, which is a health plan. Then, with a strong desire, and I’ve seen this from working with Emily, a strong desire to be more directly involved with patients, caregivers and clinic operation, she then joined Intermountain Healthcare. Shortly after joining them she became the Chief Privacy Officer and Compliance Director, so they just loved her immediately.

Emily: Thanks Marcie.

Marcie: Within your role in privacy, tell us a few more of your responsibilities, or maybe some big projects or things you got to be involved with.

Emily: Being the Chief Privacy Officer at Intermountain was really kind of a dream job for me. It was a perfect mix of legal background, with people skills, with operations. You could find any scenario to apply HIPAA regulations to. You name it and they are working with it. To get to manage a team where we were responsible for all the policies and procedures, over sixty of them, reviewed about 40 incidents a week, and did a risk assessment on those. Handled all the business associate and data security agreements. Let’s see, what else… one of my favorite responsibilities was to be from the ground up working with business developments, instead of that approach where you just come to compliance where you get a yes or no to do your project, it was “Let’s help you design a compliant project.”

Marcie: From the ground, up.

Emily: From the first. That entrepreneurial side was really fun for me.

Marcie: Ultimately that probably saved a lot of people time, rather than jumping in later and needing to go back and retrace steps that should have been done differently.

Emily: Yes, because business development likes to work fast and create as they go on the fly. That just did not work to hand them a big flow chart work flow that they would have to wait months to get through, hoops to jump through.

Marcie: Yeah, or tell them “Oh, you did this wrong… you need to go back and redo it.”

Emily: Yeah, you need to go back to square one and then let me know when you fix that. I like to meet with them regularly, build relationships, and it taught me the different ways to use data as well. It was a good way to research, it was good to have to research a new and innovative way to use data. There was a constant tension protect the data, use the data, to survive. It was an incredible position to have. It probably led me to work in In Care Transformation now.

Marcie: That’s great. I often get questions from some of the clients and people that work with Healthicity because they are very worried about doing a risk analysis. So of course, we know that this is a requirement to conduct a regular risk analysis, and to do risk management. Can you tell us, I think people get a little confused on what is risk analysis and what is risk assessment, and what’s work plans or risk mitigation? All those terms get messed up in how we use them and how people understand them. Why don’t you tell us what you think what a gap analysis, compared to a risk analysis, compared to a risk management plan.

Emily: I would love to do that. That was an interesting lesson, me included, you hear the terms risk analysis, risk management plan, all the time, and they are used interchangeably. Even then just logically you think “Well, let’s pull out the OCR tool kit, identify where we have gaps, and those are our risks, and we just convert that to a risk analysis.” That’s not the case, that’s where you go with common sense, but it’s not the case. The OCR tool kit is what you as a covered entity, or business associate, can go through and say which of these elements are required for us to comply with, which of them are addressable, if we can’t implement what’s addressable because it’s unreasonable, what are we going to do. Preparing your documentation that way, but that document is really a privileged document. It’s what you as a covered entity, it’s how you are working with those addressable items, like encryption per say. It’s really privileged. You don’t use that and save as and make that a risk analysis. The risk analysis is where you look at the risks your entity has, you look at where you have PHI, you have that EPHI inventory, you look at where it is, what could cause a breach, what kind of risks you have and how likely those are to occur.

Marcie: So the gap is like, “Okay, these are some holes we have.” And the risk analysis is even if you don’t think you have a gap, or a hole, you’re still assessing the likeliness, or the probability, of that risk, an issue of that risk happening. So those are kind of the simple differences.

Emily: And even beyond holes, it’s more of your personal, the rules let the covered entity, the rules are meant to suit many different sizes of entities, that’s why they make some things addressable. They know that the tiny entity cannot implement the same things as the huge entity. So the tool kit just helps you know what’s required, what’s addressable, and review that, and analyze weather you can implement that and why you can’t or where you want to go in the future. That’s not what we call a risk analysis that we’d submit to the NCR. That was a huge learning for me.

Marcie: Yeah.

Emily: The risk management plan comes after that, and that is just a document showing how you’re going to implement safeguards. How you’re going to reduce the likelihood of that risk occurring.

Marcie: So that’s your risk mitigation, as another term, or work plan. Lot’s of people call it work plan. So, a thing that’s again interesting in these terms, like an example, in various OIG guidance for compliance programs, they use the term risk assessment, but then the OCR uses the term risk analysis. So, in some ways the various agencies are creating the confusion in terms, but those two things are actually quite similar. Risk assessment vs risk analysis, just two different agencies using two different terms, and then of course the same thing with risk management plan, or a risk mitigation plan, or work plan, those are kind of the same thing. I’m sure there is some expert out there, that could tell me, even some differences between those, but in general those could kind of be categorized as the same thing.

Emily: Yeah.

Marcie: Okay, we’re going to take a quick break and we’ll be back.

Woman’s Voice: Compliance Conversations is sponsored by Healthicity. Healthicity designs software and services that simplify compliance and auditing challenges that reduce your risk and save you money. Where others see complexity, we see simplicity. For more information, visit Healthicity.com.

Marcie: Okay we’re back now, and today we’re with Emily Haley, and we’re talking about Privacy. We were just finishing off a conversation about gap analysis, risk analysis, and risk management plans. What would you say, now that we’ve covered the definitions of what those are, what’s required for a risk analysis. Now, I want to ask that question, but I also want to bring up some other factors for you to consider when talking about this, but for our audience too. Everybody is familiar with OCR’s phase 2 desk audits, where they audited 63 covered entities, and I think 40 something business associates. They used a scale 1 through 5, 1 being the very best risk analysis or risk management plan, and 5 being the very worst. The surprising thing here, more than half both business associates and the covered entities had scored a 4 and a 5, so not even a 3. A 4 and a 5. Based on that, that’s quite shocking, that means most of us out there are just not doing the right things. What do you think is required for a risk analysis?

Emily: It is so interesting when you look at the results of those phase 2 audits, did these entities not know what to do, did everyone take a stab in the dark and guess wrong? And I think it has a lot of truth to it. What is required is not the clearest. What we do have, and think about it, its 2018, we have a 2010 guidance document from the OCR. It doesn’t talk about the format, it talks about the elements that you need for a risk analysis. As an attorney with a legal background, that’s exactly where we’re going to go Marcie when responding to an OCR complaint and they ask for a risk analysis. You’re going to hope your security department put it together with the elements that were required, but you look at the document and there is not much to it, and it’s kind of dated. It can cause a stab in the dark that obviously failed, that 0 got the top level. You think about how many top healthcare companies could have been in that mix.

Marcie: Yeah, Emily mentioned that 0, not even 1, of the covered entities who had the desk audit, received a top score of a 1. Some of the, obviously there is a lot of room between a score of a 1 and a 5, but I think that is so shocking. So, you have no 1’s, so that basically means all of them are split between, half of them are 2’s and 3’s, and half of them are 4’s and 5’s. So, 2’s and 3’s they maybe have some type of risk analysis and risk management effort, but by far it’s not complete. Then 4’s and 5’s are like, did they do anything? Some of the examples, or the description of a 4 is, “Audit results indicate the entity made a negligible effort to comply with the audit requirements, policies and procedures that are submitted for review are copied from an association template. Evidence of training is poorly documented and generic.” Then a 5 is, “The entity did not provide evidence of serious attempt to comply with the rules and enable individual rights with regard to PHI.” It’s just, they have nothing in place almost. To have 21% of who they audited in that category is quite shocking, especially when I work with people when consulting, I laugh, new people getting into compliance, HIPAA is one of the first things they focus on. They know it’s there, they worked with HIPAA regardless of what world they came from, clinical, billing and coding, whatever it is everybody knows HIPAA and so they focus on that area first. It’s surprising that 21% of them have nothing.

Emily: It’s completely shocking. Even really mature programs, that probably work with consultants to prepare their risk analysis and risk management plans, even those entities, no one got a 1. To say the least, I think we can assume the requirements are a bit fuzzy or vague, maybe on top of it just because rules are required and addressable it makes it kind of, it’s not too black and white to do that risk assessment. One hand you’re using your tool kit and saying okay these 5 addressable items are not reasonable for us to implement, let’s keep an eye on those, see if we can mitigate those another way, all the way to what our big risks are and how will we reduce those. To not have a lot of guidance on that does leave a lot of leeway. When you look at the 2010 document, honestly, you should think of it as your legal document risk analysis. You might need a lot more detailed road map for security to use. It’s just probably not enough.

Marcie: For me, I think, a lot of compliance professionals, especially if they come from the business or clinical side of things. The regular compliance programs like policies and procedures, really those that scored a 4 or 5 that don’t even have policies and procedures in place, it makes me wonder why. That’s such a basic element of a compliance program, you can at least have that in place. When it gets into some of the more IT related information and knowledge, then I think it’s harder for people coming from the business or the clinical side of things in compliance to understand those, so they may get a little bogged down, but these 4’s and 5’s, the covered entities that scored 4 and 5, they didn’t even have some of the basic parts of a compliance program. So, of course some of who of these covered entities were probably small to medium, and some of them were larger. What do you think are some options that a small provider, or a small critical access hospital with limited resources, what are the options? Because they can’t do a risk analysis with 170 points of risk, and then have 170 points of risk mitigation, or the risk management plan, because they probably don’t have a full-time security officer, or they probably don’t have a full-time compliance officer.

Emily: I think that the best option for those, and it’s actually similar to how a massive organization has to operate, you can’t do everything you need to do, or educate the way you need to, by limiting who performs the functions. You have to draw those dotted lines everywhere you can. Weather you pick department managers that are trained in helping you with the risk assessment on a yearly basis, maybe it’s more frequent than that, maybe you can audit it as much as you can where specific questions go out. Maybe you do more assessment all throughout the year, and it’s not just once a year, but you have to partner with those on the floor, and those who have access to the PHI.

Marcie: So really, there has to be some level of progression, even if it’s a multidisciplinary group of people with maybe not any security expertise but moving forward even if it’s at a really slow pace.

Emily: Yeah.

Marcie: I would agree with that, because I know smaller providers and hospitals have a harder time with resources, and having the expertise, but I think that is a much more favorable look if you’re being audited, to show a gradual improvement rather than no improvement at all. We kind of talked a little bit about this, but what are some of the other things we can learn from the phase 2 audits?

Emily: I think, it was almost reassuring… Not reassuring but comforting to know that we are not the only ones taking a stab in the dark, that these are vague things. That alone was a bit of a comfort to me, “Oh, everyone is trying for this!”, at the same time, this subject just has a tendency to make people try to avoid it. That vagueness, and these big documents that have legal ramifications, but we don’t quite know if we’re hitting the mark, it makes you avoid the topic.

Marcie: Which is the exact opposite, because security almost, I think, as far as a comprehensive risk assessment for an organization. Security and privacy are probably going to end up right at the top of their highest risk year after year.

Emily: And they are.

Marcie: Yeah, seems like the industry is one step ahead of the heath care IT industry, and the bad guys, the ransomware and the malware, seems like they are always one step ahead. That’s why it ends up, it’s quite volatile, and that’s why it ends up right at the top of the risk assessment.

Emily: I think, Marcie, that kind of supports the belief we were talking about earlier. Don’t separate your transformation department, and your business development department from your legal and compliance department. Don’t have it be a turf war. Don’t have it be so segregated. The people that are on the front lines that are kind of entrepreneurial in spirit and the transformative attitudes, they are noticing the bells and whistles, they are noticing how we can push healthcare forward. It’s not top of mind, “Why can’t I connect this tool to our network?”, they are not thinking of the risks involved. There’s got to be even more of a partnership between cyber security and IT folks, and transformation kind of Bus Dev type folks. They all want the same thing at the end, but they are traditionally moving at a much different pace.

Marcie: And I think it takes all of those different teams to help one another understand what’s happening so you can truly realize what risk is there.

Emily: If you want to impact your risk, you don’t rely on a once a year online training. Or cyber security coming in twice a year to tell you about the highest risk. It’s that you better be walking in step with each other. What are you wanting to innovate? Are you wanting to do something with your patient portal and scheduling and online accounts? They need to partner, you need to partner all the time, you need to invite them to your meetings or to your project frequently, you can not just do it at the end.

Marcie: I think, of all different types of departments, a physician group, or a hospital system, can play into the organizations successful security plan. You even take supply purchasing, they are purchasing things that connect to your network, hold patient data, people don’t realize that a huge percentage of medical equipment now actually holds patient data. Understanding even in the procurement part of things, what are you getting, what is the security profile of this piece of equipment. Me, as a compliance officer, I can’t tell you what the security profile is on the at piece of equipment, so I need to have the cooperation with information systems, or the IT department, or I really can’t perform my job to the level that I need to.

Emily: Sometimes I’ve found this helpful in privacy, you can really start using words like we dissected today. What is the difference, the word risk is used every other sentence, like in privacy and security, and are throwing words around, and to the multidisciplinary type of departments, are they all thinking the same? I’m talking PHI, period. The more we kept trying to train people what PHI is, there is a different opinion every day. There can even be between privacy and security, the more you drill down and say give me an example, tell me how you use this tool, where the data flows from, the more you can get out of the lingo, and get more into what happens and what would happen if a breach would occur, the better.

Marcie: Yeah.

Emily: Get out of the legalese and just talk about it.

Marcie: Even education is that way. It’s apply what is going to happen in their job, they don’t want the definition of what high tech is, it’s how does this apply to me.

Marcie: Well that has been really good advice, thank you for answering those questions, I’ve enjoyed today. Thank you for joining us for our chat today with Emily Haley. To all the listeners out there, thank you for listening to Compliance Conversations.

Questions or Comments?