Ensuring Private Information Stays Private  

Emphasize Education for Healthcare Cybersecurity Compliance  

Privacy can make or break an organization. For healthcare systems in particular, it’s essential to lock down data.   

Margaret Scavotto explains the two sides to privacy: the penalty side and the positive side.   

“On the penalty side, we have issues like ransomware, which is rampant,” Scavotto says.   

“In healthcare, we have to conduct a HIPAA security risk analysis as well as invest in cybersecurity so that we don’t lose access to data or have a breach. It’s the cost of doing business.” 

She says investing in cybersecurity is similar to the challenges of quantifying how Compliance reduces fines.   

“Yet the likelihood of getting hit by a ransomware attack is much higher than getting hit with an OIG settlement or fine,” Scavotto says.   

Beyond the penalty side, Scavotto says privacy can be a tool for elevating patient care.   

“It’s a huge opportunity for providers to focus on customer service and patient retention for two reasons,” Scavotto says. “Patients’ expectations of privacy exceed what HIPAA requires. And patients are complaining to the OCR – the Office for Civil Rights, the federal agency that enforces HIPAA – about their privacy rights being violated by providers much more frequently than they were 10 years ago.”   

While the compliance officer was able to help resolve the issue, the example highlights why compliance professionals must be visible and be at the table when decisions are made. It also underscores the value of liaison programs and operational compliance committees.   

As Ken Zeko notes, operational compliance committee meetings are the perfect venue for asking questions such as, who’s going to buy something new? Who’s looking at new vendors?   

Lisa Herota adds that privacy issues also highlight the need for ongoing education. She believes employees genuinely want to protect patients’ privacy and that the best privacy policies are the ones employees hear about on a regular basis. 

Emphasize Education  

“We engage employees via a Privacy & Compliance Corner in our organization’s weekly Monday Messages newsletter, for example,” Herota says. “And we partner with IT Security to email biweekly tips on keeping the organization safe – from cyberattacks and phishing – and protecting patient information.”  

She says providing tangible privacy tips that employees can implement in their daily workflows is most useful. And she encourages making educational campaigns fun. “Part of our HIPAA educational campaign was awarding Starbucks gift cards to the first employees who called the compliance hotline and correctly shared what the acronym stands for,” she says. “It raised awareness of HIPAA and of our compliance hotline.”  

“Cybersecurity is a never-ending battle in healthcare,” Herota adds. “It only takes one employee to click a link and let bad actors into our system, creating a domino effect of chaos.” 

She shares how her team responded to a cyber issue by creating a simulated phishing email platform as an educational tool. When she presented the platform for approval to executives, it included increasingly punitive sanctions if employees clicked a link, responded to an email, or opened an attachment.   

Executives asked for more aggressive sanctions, including immediate termination. They likened it to not allowing an employee to set a fire in the operating room more than once.   

Herota pushed back, explaining that employees first need education – whether it’s on preventing a fire or avoiding a phishing scam. They compromised on starting with a four-step escalation program.   

“After six months of having this policy in place, nobody has made it past the second ‘failure’ of clicking a link, responding to an email, or opening an attachment,” Herota reports. “It proves my point that education and training are effective.”  

Ken Zeko agrees with Herota’s approach. He advises compliance officers to avoid using “draconian must-terminate language” and to focus, instead, on having conversations. “There are often plausible reasons why an employee commits a compliance infraction,” Zeko says.   

In these situations, Zeko recommends explaining the extraneous circumstances and giving an employee a warning instead of terminating him or her.   

“If you’re able to coach an employee after the infraction, you may make that person your number-one compliance liaison for life,” Zeko says.  

Content for this article was reprinted from a YouCompli white paper published in February of 2023. In “The Opportunity for Compliance to Create Value for Healthcare Organizations,” compliance experts shared ways to earn recognition across your stakeholders as a value creator. 

Qualified compliance professionals do the heavy lifting for you, helping you establish rapport, relationships and culture  

Our in-house team works tirelessly to monitor US regulators, carefully read the regulations in their entirety, and translate the information into simple regulatory intelligence you can use. We deliver model procedures and expert tools that can be used to fulfill your business requirements. Everything is validated by a third-party law firm.  

Download the White Paper

Sign-up for our Weekly Newsletter

Register to receive weekly emails from YouCompli and never miss the latest article from a healthcare compliance professional. Watch for our white papers that summarize compliance leaders’ experience.   

YouCompli can help  

Other companies stop at automated feeds of regulatory source content. YouCompli enriches our primary research with legal analysis, digests of the practical implications, decision criteria for your organization, and model procedures to achieve compliance. Free up your time to focus on educating your stakeholders, learn how YouCompli can help.