By Jason Silverstein, COO, PHIflow
Guest Contributor: Michael Wildsmith, HIPAA Privacy and Security Officer, Cornerstone of Recovery
I recently sat down with PHIflow user Michael Wildsmith, HIPAA Privacy and Security Officer at Cornerstone of Recovery, for a Q&A session about the importance of patient privacy, in the context of substance abuse and mental health.
Michael, all providers have federal requirements as well as ethical obligations to protect their patients’ health information. Why is it extra important to safeguard PHI at a Substance Abuse and Mental Health facility?
For us, it all starts with trust. For those suffering from addiction or mental health issues, it is difficult to ask for help. Many of our patients have a history of either having their trust betrayed or breaking the trust of others. To best facilitate an effective road to recovery, we have to help restore trust in patients’ lives. Although trust is typically something between individuals that must be earned over time, as a care provider we have to show our trustworthiness during our first point of contact – either in person or on the phone – and throughout the entire care continuum. When someone comes to the decision to ask for help and comes to Cornerstone, as soon as they walk through the doors we want them to trust us. But trust for us means far more than just taking the minimum requirements to safeguard health information. Protecting an individual’s presence in treatment, as well as their health information in general, is vital to the success of a good treatment experience. Patients have to trust us! We’d feel this way even if we weren’t required to under HIPAA.
That’s on the patient level. How does trust roll over to the vendors you choose to work with?
To deliver the best end-to-end care experience, we rely on a number of third parties and partner organizations to help with various parts of our operations. But bringing in outside vendors comes with many challenges and risks related to privacy and security. Any vendor that does business with us must understand that the privacy and security of our patients is a priority beyond just HIPAA and HITECH, and they need to prove that they have that same priority. To ensure and enforce that all our vendors take privacy seriously, we require that all vendors sign extremely meticulous Business Associate Agreements (BAAs), contractually obligating them to abide by a strict and specific set of privacy standards. Most vendors are willing to do this, and we’ve had great success with those professional relationships. Other prospective vendors that don’t quite show the commitment to privacy that we require, regardless of their service offering or price, is a vendor that we cannot trust to be part of our operations. After all, these are our patients, not theirs. Our patients trust us, and we have to trust our vendors.
Can you talk about what a security incident would look like for you? What if it wasn’t your fault, and in fact was the responsibility of one of your third parties?
If I play the tape out for a potential security incident, the impacts are far and wide. Whether the incident was our fault or by fault of a vendor, it wouldn’t matter all that much because the result would be the same. Covered entities implicated in breaches today are fined large sums of money, take on bad press and have to undergo invasive audits. But what the news outlets never share are the patient stories. Sure, our reputation as a leading substance abuse treatment center could be tarnished but even worse, one or more of our patients’ recovery could be jeopardized. It goes back to trust. If a person puts their trust in us, and we break that trust, it could trigger emotions that can be extremely damaging in their road to recovery. Personally, I read about security incidents and breaches and always think about the patients. They’re the ones that are hurt the most, especially in the substance abuse arena.
What is one of the most difficult parts of your job?
As I mentioned earlier, regarding privacy and security regulations, we must always apply the strictest rules regardless of if they are federal or state regulations. This can be a challenge sometimes because of the inconsistencies in the laws. HIPAA regulations allow the disclosure of health information for the purposes of treatment, payment and operations without patient consent. But let’s look at the Substance Abuse and Mental Health Services Administration (SAMSHA) law that applies to us, called 42 CFR Part 2. The “Part 2” regulations override HIPAA and state law in that regardless of purpose, providers must have consent from patients for any disclosure of information. Further, our state regulations require retention of patient records for up to 10 years, where HIPAA requires 7. These are just small examples and there are many that impact how we manage our vendor relationships as well. Conflicting or differing federal and state laws or mandates, along with keeping up with changes to those laws, make my job as a compliance officer more difficult.
What does being a successful HIPAA Privacy and Security Officer mean to you?
To be a successful HIPAA Privacy and Security Officer at a substance abuse treatment center or mental health clinic, there are many added layers of responsibility to safeguard PHI. Many are internal facing and start with ongoing training and education for staff. Regular and ongoing risk assessments and risk management exercises are very important. I have to make sure we are always updating policies and procedures and reeducating staff on those updates. Success in my role means ensuring to our patients that their confidentiality is held to the highest degree. But externally, it also means always holding our vendors accountable, which starts with managing our BAAs very carefully. I can tell you, to have a centralized view of all the organizations that have access to our patient data makes oversight much easier for me. To have the ability to pull key terms and dates from those agreements and understand how each relationship may differ has definitely helped me be more successful at my job. As I said before, there are confusing and conflicting laws and these laws are changing and getting more complicated. I need to make sure I can see the impact of changing privacy laws as it relates to each one of my vendor relationships. As an organization we need to give our staff the best tools to make everyone’s life easier, not harder. Compliance is for our patients, and we must not forget what our mission is. This is what creates an organizational culture of compliance. We take it very seriously here at Cornerstone of Recovery.
PHIflow is a data and technology company combining artificial intelligence and legal expertise to help companies understand their HIPAA Business Associate Agreement (BAA) risks and requirements.
530 7th Avenue, M1, New York, NY 10018