A Detailed Report of the Compliance Arena

A Detailed Report of the Compliance Arena

By Phil Curran, CISO & CPO, Cooper University Hospital

Phil Curran, CISO & CPO, Cooper University Hospital

The compliance environment continues to get more complicated and more difficult to understand. As we move forward, we must be flexible in our response to this ever-changing environment. While there are many factors making compliance more complicated, this article focuses on three: an increasing number of agencies involved in compliance, resources, and misunderstanding our mission.

A key area making compliance more difficult is the increasing numbers of agencies involved in regulating the healthcare industry. Healthcare organizations must no longer be just concerned about the Office of Civil Rights for HIPAA enforcement; we must now be concerned about enforcement from other agencies like the FTC. And just because one agency says your cybersecurity practices are sufficient does not mean the other agencies will agree. The FTC states that vulnerable or exposed date is an unfair business practice. The FTC can also determine that a company’s security practices were unreasonable or likely to cause harm to consumers without any tangible harm to the consumer. Any insufficient practices are enforceable under Section 5 of the FTC Act. Since 2015, The FTC has agreements with nine companies enforcing cybersecurity. The FTC has released guidance for businesses. Further, the OCR has issued guidance on HIPAA's intersection with the FTC. We must, therefore, review what the FTC has published and compared that with what the OCR has published and continues to publish.

"One way we can become aware of projects is to inject ourselves into the procurement process"

Then there is always the fight for resources, both money, and manpower. We are constantly under pressure to reduce our budget and to review the necessity for our headcount. I remember a question my CEO asked when we were implementing a patient privacy portal: “Can you reduce headcount?” Our senior executives are continually bombarded with requests for more: more money, more people, more supplies, etc. Our challenge is to make sure our senior executives understand the risks and consequences of non-compliance. We need to communicate in terms they understand. They understand risk as they live risk every day. For example, they may not know what “encryption” is, but they will know the risk of not encrypting when you explain to them the OCR has fined institutions in the hundreds of thousands of dollars for not encrypting. With this information, they can then make informed decisions on whether to purchase a new MRI or purchase encryption.

I always tell people that I have two objectives: Protect the patient, protect the institution and I cannot do one without the other. For instance, when we find billing errors and stop those bills from going out until they are fixed, finance sees us blocking revenue. We need to work with the CFO and her organization to ensure that they understand why we are not automatically forwarding bills. We are also seen as blocking innovation when we say we need to take a deeper look at projects that pose risk to the organization One way we can become aware of projects is to inject ourselves into the procurement process so that we become aware of projects early in the process. We can then provide our guidance on the project that will accomplish the project’s objectives as well as protecting the institution.

The compliance landscape is only getting more complicated. As the organization responsible for knowing and maintaining compliance with this ever-changing environment, we need to continue to be innovative in keeping current with these regulations so that we may continue to protect the patient and protect the institution.

Weekly Brief

Read Also

Response to an MRNA Vaccine against SARS-CoV-2-Preliminary Report

Response to an MRNA Vaccine against SARS-CoV-2-Preliminary Report

Morgan Jayne, MD, Div. of Quality and Safety, Clinical Director/Covid Task Force, Piedmont Healthcare, Inc., Atlanta, GA Cooke David, MD, Section of General Thoracic Surgery, University of California, Davis Health, Sacramento, CA; Kpodonu Jacques, MD, Div. of Cardiothoracic Surgery, Beth Israel Medical Center/Harvard Medical School, Boston, MA
A New Era of Neurosurgery

A New Era of Neurosurgery

Dave Rosa, president and CEO, NeuroOne
How Palomar Health Took the Online Route to Prepare Patients and Caregivers for Surgeries in the Wake of the Pandemic

How Palomar Health Took the Online Route to Prepare Patients and...

Brian Cohen, MHA, Director of Orthopedic and Spine Services, Palomar Health
Leveraging Rideshare Technology to Drive Ambulatory Strategy

Leveraging Rideshare Technology to Drive Ambulatory Strategy

Matt Manning, MD, FASTRO, Chief of Oncology, Cone Health
Novel Dynamics in the Oncology Landscape

Novel Dynamics in the Oncology Landscape

Bret Schipper, Chief of Surgical Oncology and Director of Oncologic Surgery, Hartford Hospital
Digital transformation in the patient experience: A win for patients and care teams

Digital transformation in the patient experience: A win for...

Yogish Suvarna, Chief Information Officer, Aspen Dental Management, Inc.