How Two Systems Create a Culture of Compliance with Data Governance in Healthcare

October 3, 2019 Michela Duggan

Governance serves a dizzying array of purposes in healthcare – from acting as a blanket set of responsibilities to which an organization adheres to protecting systems through OCR audits and safeguarding patient privacy. With all the advantages that data governance in healthcare has to offer, how can privacy, compliance, and security professionals reap the benefits?

Elizabeth Champion, VP and Chief Compliance Officer at Franciscan Missionaries of Our Lady Health System (FMOLHS), and Scott Didion, System Director and Privacy Officer at SSM Health, sat down with Courtney Wolfe, Privacy Analyst at FairWarning, and Lisa Fiene, Training Manager at FairWarning, in a recent webinar to discuss governance best practices and trends for 2020.

 Boost your privacy program

Establishing governance policies at healthcare organizations is paramount to maintaining a strong privacy program. Scott Didion, System Director and Privacy Officer at SSM Health, uses governance data to strengthen the privacy program at his organization, which stands on six pillars:

  • Investigations and breach reporting – Day-to-day investigations, employee helpline concerns, HR and manager inquiries, patient advocacy and concerns.
  • Workforce monitoring – Monitoring for workforce and household snooping, high-volume users, patients of interest/VIPs, email exfiltration, and when a user breaks the glass in Epic.
  • Training and communication – New employee and executive onboarding, and annual privacy training for staff.
  • Risk assessment and work plan – Risk assessment interviews with internal audits, risk prioritization, and work plans.
  • Third-party data sharing – Business Associate Agreements (BAA), risk assessments, affiliate agreements, and EMR issues.
  • Strategic initiative report – Policy enforcements, ONC and Office of Civil Rights (OCR) enforcements, and population health initiatives.

By creating policies that monitor instances of employee snooping, same household snooping, VIP patient snooping, self-modification of records, onboarding and training, and reporting on activities to the ONC and OCR, SSM Health protects patient privacy and adheres to HIPAA while maintaining the governance data necessary for reporting to their board and other governing bodies.

Use governance for education and employee training

With the level of insight that data governance provides, privacy, compliance, and security professionals can leverage this information to determine which departments may require privacy training. At FMOLHS, governance data is an essential part of their privacy program. They use it to focus on training the team when they find inappropriate access, determine why it’s happening, and educate personnel on actions they can take to avoid further incident.

By tailoring their training program around governance data, they’ve reduced cases of coworker snooping, household snooping, and self-access with modification alerts to meet departmental goals.

“The visibility that we have with these efforts really has helped us reduce the number of violations that we’re seeing in specific areas.” – Elizabeth Champion, VP and Chief Compliance Officer at FMOLHS

Courtney Wolfe, Privacy Analyst at FairWarning, expanded upon the importance of utilizing governance data to determine which managers within organizations receive the most investigations and volume of unauthorized access. From that information, she determines which departments – and managers themselves – could benefit from additional education.

“That really highlights an opportunity there to go to those managers maybe and provide retraining.” – Courtney Wolfe, Privacy Analyst at FairWarning

Satisfy your board and stakeholders

FMOLHS uses governance data to report to key executives, who actively engage in the health system’s privacy program. Their board expects governance data on a granular level to keep up to date on disciplinary actions that the organization is taking, as well as trends in behavior and types of access.

FMOLHS receives questions from management about the finer details that governance data can offer, including the number of investigations. Their board is interested in knowing how FMOLHS compares to other markets and among organizations of a similar size. With governance data by category, region, location, and disciplinary actions, FMOLHS can provide their board with the granular details needed to maintain visibility from the bottom up.

Using governance to nurture a culture of compliance

Governance data empowered organizations like SSM Health and FMOLHS to create a culture of compliance at their facilities. In a nutshell, a culture of compliance is when people in an organization do the right thing even when they know they aren’t being monitored. At FMOLHS, users understand what types of behaviors would trigger an alert. And in situations where a questionable access is unavoidable, such as when an employee is working at the ER front desk and a family member comes in for care, they know to reach out to the privacy and compliance teams to explain why that access was business-related.

 “We feel like we are starting to progress into a more mature program because we have team members self-reporting to us.” – Elizabeth Champion, VP and Chief Compliance Officer at FMOLHS

Ultimately, governance data and reporting empowers healthcare organizations to do their due diligence to protect privacy, maintain compliance, and prevent data breaches. Not only is it essential for reporting trends to governing bodies and boards of directors, but it can also be used to provide users with essential training to nurture a culture of compliance.

“We’re having leaders starting to take ownership of what’s happening in their areas and really starting to challenge their team to make sure they understand that protecting patient privacy doesn’t just lie with the privacy officers, that it’s everyone’s job.” – Elizabeth Champion, VP and Chief Compliance Officer at FMOLHS

Previous Article
Monthly Cloud Security Roundup: UK Banks’ Top Priority, New Salesforce Capabilities, the DoorDash Data Breach, and More
Monthly Cloud Security Roundup: UK Banks’ Top Priority, New Salesforce Capabilities, the DoorDash Data Breach, and More

Discover the latest in cloud security news with September’s roundup, including the DoorDash data breach, ne...

Next Article
Salesforce Data Privacy and Why It Matters: Establishing Robust Privacy Practices in Salesforce and Beyond
Salesforce Data Privacy and Why It Matters: Establishing Robust Privacy Practices in Salesforce and Beyond

In the webinar, Why Privacy Matters: How to Establish Trust Through Salesforce Security and Privacy, Salesf...