HIPAA Omnibus: The CIO's RoleNew CIO Association Leader on Compliance Issues
Healthcare chief information officers need to take a clear leadership role on privacy and security, including compliance with the new HIPAA Omnibus Rule, says Russ Branzell, the new CEO of the College of Healthcare Information Management Executives.
"I think the role is quite simple. The CIOs have the responsibility to be the leaders," says Branzell, a former CIO who in April took on the full-time role of president and CEO at CHIME, an association representing more than 1,450 healthcare CIOs. And when it comes to HIPAA Omnibus specifically, it's the CIO's responsibility to make sure all requirements are met, he says in an interview with HealthcareInfoSecurity (transcript below).
Branzell stresses that improved privacy and security pave the way for organizations to deliver high-quality care. "If you look at this from a proactive-care perspective, we actually can improve patient care, improve patient safety, and even reduce the workload if we know we're getting the right information at the right time to the right people," he says. "We can actually reduce the expense. I would love to see as we move forward that we actually prove that information security and privacy is a contributor to better healthcare."
In the interview, Branzell also discusses:
- The biggest security and privacy challenges facing healthcare organizations;
- The CIO's role in security and privacy;
- The importance of matching all relevant records to the right patient, especially during health information exchange.
Branzell is the former CIO of Poudre Valley Health System, which became Colorado Health Medical Group, a division of the University of Colorado Health. He is a past member of the CHIME Board of Trustees, past chair of CHIME StateNet and past chair of the CHIME Education Foundation. He served as chair of the CHIME Education Committee from 2004-2008 and is a member of the CHIME Healthcare CIO Boot Camp faculty. He is a Certified Healthcare CIO (CHCIO), a fellow of CHIME and HIMSS, and board certified through the American College of Healthcare Executives.
Security, Privacy Challenges
MARIANNE KOLBASUK MCGEE: What do you see as the biggest data security and privacy challenges facing healthcare organizations right now?
RUSS BRANZELL: Probably the [biggest challenge is the] overwhelming amount of requirements right now that exist for the CIO and security officer. If you just look at the prevalence of these new positions that are popping up of chief information security officers or chief health security officers, it's indicative of what's happening in our industry with the pervasive needs for security and privacy. By no means am I suggesting that these aren't real and important - they are. It's just the requirements are growing larger and larger every day, and part of that is with the prevalence of how information's being exchanged.
Most CIOs have worried [until recently] about the intra-hospital exchange of information for privacy and security. And now, what we're seeing is the broader outside-the-walls concept of our responsibilities of information exchange.
You can look [at data exchange] within a hospital with its medical group, its medical community and its defined community - but even more now on a regional basis or even a state basis with HIEs [health information exchanges]. What's occurring now is this whole concept of patient data flow and this ecosystem of patient flow that the CIOs are trying to [understand and develop] their overall policies around. There are so many touch-points for the patient record now that I think CIOs are really grappling with the concepts of how they can manage all of this in such a huge ecosystem, which, in many cases, they don't have control over. ...
MCGEE: You touched upon regulations. What do you think of the HIPAA Omnibus Final Rule that was just released and the new responsibility that business associates and subcontractors have for protecting patient data?
BRANZELL: I think there are parts of the rule that I'm sure most CIOs would say were needed and required. There are also parts in there that they would say, "Wow, there's just so much more I've got to do." I think the reality - and specific to your question - is it finally aligns the concept and the playing field of what was traditionally covered for covered entities, and ... what the requirements are of business associates. ... The attempt here was to try to create some clarity in there, and it also ... requires a lot more contract re-negotiations than we did in the past. ...
The reality is we really did need, for lack of a better term, HIPAA 2.0 to refresh what was historically in those regs from quite a while back.
HIPAA Omnibus Challenges
MCGEE: What do you think will be the biggest challenges for healthcare organizations in implementing and complying with the HIPAA Omnibus rule?
BRANZELL: ... The overall workloads that are facing today's CIOs are pretty tremendous. They're trying to do everything proactive to improve patient care and to implement new systems that are required for safety. They're also in this process now of healthcare reform and cost-reduction, where there's a lot more pressure to reduce overall expense and get down the Medicare rates. And, oh, by the way, make sure you do all of that at the same time you've got to implement a new set of HIPAA rules relative to your organization.
... I'm absolutely for privacy and security. I think it's absolutely essential that we do this. But this never-ending movement of targets that's happening right now and making sure that we can track and actually watch where all this data flows through our system in a really large ecosystem that can be very dynamic is difficult for the average CIO to be able to track, especially with so much information flowing from outside of it.
If you just look at the process of where almost instantly somebody in the past with, say, a cloud computing service was really kind of excluded from some of this, instantly they become part of the [HIPAA compliance] process and you need to track the data or make sure they track the data and make sure you can figure out where it all goes. And then balancing with all the other security, not necessarily HIPAA, and technical requirements that we have out there is just an overwhelming amount of work that needs to be done.
CIO's Role in Privacy, Security
MCGEE: What do you see as the role of healthcare CIOs in privacy and security, as well as in HIPAA Omnibus compliance?
BRANZELL: I think the role is quite simple. The CIOs have the responsibility to be the leaders. The CIOs - the senior health information management, the overall IT leader for any organization ... - need to make sure that at least these requirements are being met. But I would even say that one of the things we need to do as we move forward is to be more proactive in the development of these rules and the interpretation of these rules.
We want to obviously strive for data integrity. We want to make sure that there's all the appropriate information that's out there. One of the things we think of with privacy and security is that it becomes kind of the police force of the information. When in reality, one of the things you can do with good information security and privacy is you're actually making sure the right information is getting to the right place at the right time for the right people. If you look at this from a proactive-care perspective, we actually can improve patient care, improve patient safety, and even reduce the workload if we know we're getting the right information at the right time to the right people. We can actually reduce the expense. I would love to see as we move forward that we actually prove that information security and privacy is a contributor to better healthcare.
HITECH Act Stage 3
MCGEE: On the topic of regulations, are there any particular security and privacy-related requirements or issues that you would like to see adopted or addressed in Stage 3 of the HITECH Act's electronic health record incentive program?
BRANZELL: One of the things we would be very cautionary in is looking at Stage 3 of meaningful use as really an alternative avenue or a different way to implement security and privacy. We have a specific reg and we have specific requirements for that purpose. The one area that I would be very optimistic is if somehow, through the process - whether it's [HITECH] meaningful use or other areas - we have the ability to ensure through some requirements [proper] data matching, as well as overall patient matching.
By no means am I suggesting the government needs to adopt a universal identifier. ... But rather, how do we ensure that we're working through this process to make sure we have the right patient at the right place at the right time? I would be very hesitant saying we need to use Stage 3 - which is really about the EHR adoption, helping those meeting through three stages - to say that's an alternative to our security rights that are out there or mandating that into the certified EHR process. There's already a step in there that says it needs to meet the HIPAA rule, so it infers to an outside standard, and I would hope we would continue to do that through this continued process of referring to other national, governmental or other standards rather than create new standards within the [HITECH] meaningful use requirements.