the zen of data protection · *strategy& (pwc), the birth of the healthcare consumer (oct....

1/28/2016

1

Beyond HIPAA Compliance:

Privacy & Security in the Reform Era

© 2016 The Health Law Consultancy

Kathy RoeManaging Attorney & Co-Founder

The Health Law ConsultancyChicago, Illinois

[email protected](312) 332-7711

www.hlconsultancy.com

February 1, 2016

HCCA Managed Care Compliance Conference

2

The Zen ofData ProtectionThe Zen ofData Protection

1/28/2016

2

3

• Before enlightenment—

– Chop wood

– Carry water

• After enlightenment—

Chop wood

Carry water

Zen WisdomZen Wisdom

4

1/28/2016

3

Data ProtectionWood & Water

Data ProtectionWood & Water

o Essentials of data protection

• Risk analysis

• Risk management

• Safeguards

5

• Policies & procedures

• Workforce training

• Documentation

6

Data ProtectionChopping & Carrying

Data ProtectionChopping & Carrying

o Persistence with data protection wood & water—

• Continuously doing the essentials of data protection,

• Even when difficult, ignored or opposed

1/28/2016

4

The New Age ofData ProtectionThe New Age ofData Protection

7

8

Reform BegetsRetail Healthcare

Reform BegetsRetail Healthcare

o ACA Public Exchanges—Individuals’ option to shop individual & family health plans at retail

o ACA SHOPs—Small employers’ defined contribution option for employees to shop group health plans at retail

o Private Exchanges—All employers’ defined contribution option for employees to shop group health plans at retail

o Medicaid Waiver / Medicare Advantage / Medicare Part D—Individuals’ option to shop government health program private plans at retail

1/28/2016

5

*Strategy& (PwC), The Birth of the Healthcare Consumer (Oct. 2014)**PwC, Money Matters: Billing and Payment for a New Health Economy (May 2015)

9

Retail HealthcareEmpowers Consumerism

Retail HealthcareEmpowers Consumerism

o “The healthcare market . . . is being upended and the consumer is in the driver’s seat”*

o “American consumers were patients, not purchasers. This is changing rapidly as individuals shoulder more of the cost of their own care.”**

10

Consumerism BegetsConsumer Expectations

Consumerism BegetsConsumer Expectations

o Consumers want health care delivered with:

• Convenience

• Transparency

• Choice

• Value

• Personalization

1/28/2016

6

11

Consumer ExpectationsBeget Delivery Challenges

Consumer ExpectationsBeget Delivery Challenges

o In retail healthcare, success mandates seamless “consumer experience”

o Seamless “consumer experience” is

• One by one

• Consistent

• Across communication channels

• Across service providers

12

Data Strategy to Deliver“Consumer Experience”

Data Strategy to Deliver“Consumer Experience”

o Consumers’ data teach wants & likes

o Collect, analyze & use key personal data

• Consumer’s self-disclosed data

• Consumer’s provider-reported data

• Consumer’s digital exhaust

• Consumer’s profiling data

1/28/2016

7

13

Data Imperatives for Strategy to Work

Data Imperatives for Strategy to Work

o Consumer trust

o Consumer confidence

“In an information economy,access to data is critical, and

consumer trust is the key that will unlock it.”*

“In an information economy,access to data is critical, and

consumer trust is the key that will unlock it.”*

*T. Morey, T. Forbath & A. Schoop, Customer Data: Designing for Transparency and Trust, Harvard Business Review (May 2015)

Threatening Consumer TrustThreatening Consumer Trust

14

1/28/2016

8

15

Consumer TrustConsumer Trust

o Hard to earn

o Easy to betray

“[U]nderstanding and being responsive to customer needs [is how] businesses can [use] data to benefit companies

and consumers alike.”**

“[U]nderstanding and being responsive to customer needs [is how] businesses can [use] data to benefit companies

and consumers alike.”**

*PwC. Personal Health Management: The Rise of the Empowered Consumer (2015) **D. Rogers, How Business Can Gain Consumers Trust Around Data, Forbes (Nov. 2, 2015)

“Customer satisfaction is fragile; brands get blamed for bad experiences.”*

“Customer satisfaction is fragile; brands get blamed for bad experiences.”*

16

Threats to Consumer Trust:Bafflegab


o Consumer accesses online account with PBM through health plan’s portal for mail order pharmacy Rx refill

o Consumer gets PBM’s prompt for permission to track consumer’s physical location

1/28/2016

9

17



o Consumer contacts health plan CSR:

“Why does [your PBM] need to track my physical location?”

o Health plan CSR:

“[PBM] does not track a member’s location. The location prompt is sometimes received if you’re using a mobile phone or iPad to help you find a pharmacy or store nearby.”

18



o Consumer:

“But I got the member location prompt while using a desktop computer for mail order pharmacy refill.”

o Health plan CSR:

“You may receive the location prompt so the website can help you find a pharmacy nearby. . . . For further questions regarding this prompt, please call the [PBM].”

1/28/2016

10

19



o Consumer Experience—Baffling

• No logical or legitimate explanation for location data request on mail order pharmacy Rx refill

• CSR did nothing to help or support consumer

• No confidence health plan or PBM isn’t fishing for personal data for undisclosed purposes

20

Threats to Consumer Trust:Creepiness


o Consumer enrolls in Medicare Advantage HMO on health plan’s website; reviews HMO’s online provider directory

o Consumer receives ID card assigning PCP reviewed, but not selected, online

o Consumer calls PCP at number on ID card; learns PCP left practice

1/28/2016

11

21



o Consumer contacts health plan CSR:

“Got ID card with PCP name and number, but PCP isn’t there.”

o Health plan CSR:

“You may find another PCP on our website.”

22



o Consumer Experience—Perplexing

• No explanation how health plan learned to associate PCP with consumer

• No confidence health plan isn’t data mining access of its website for undisclosed purposes

1/28/2016

12

23

Threats to Consumer Trust:Unresponsive


o Consumer makes written request to health plan for PHI electronic copy, referencing Privacy Rule access right and requesting email delivery

o Health plan responds, “unable to send PHI electronically . . . because email is not a secure method of transmission.”

24



o Privacy Rule on Access Rights:• “[I]f the individual requests . . ., the covered entity

must provide [PHI] in the electronic form and format requested [if] readily producible . . .;

• “if not, in a readable electronic form and format as agreed to by the covered entity and the individual”*

o OCR Preamble on Access Rights:• “[I]ndividuals . . . notified of the risks [who] still

prefer unencrypted email [have] the right to receive [PHI] in that way”**

*45 CFR 164.524(c)(2)(ii)**78 Fed. Reg. 5566, 5634 (Jan. 25, 2013)

1/28/2016

13

25



o Consumer Experience—Aggravation

• No notification (despite OCR) consumer may accept risk and receive PHI electronic copy by email

• No alternative offer

• No confidence health plan cares about consumer’s convenience or legal compliance with consumer’s rights

26

Threats to Consumer Trust:Lax Cybersecurity


o CY2015—52 covered entities hacked for “large” unsecured PHI breaches

• 24 (or 46%) were health plans

• But health plan hacks compromised PHI of95% (i.e., 103M of 108M) of affected consumers*

*OCR Breach Portal as of Jan. 3, 2016

1/28/2016

14

27



o Consumer Experience—Anxiety

• Health industry track record belies standard industry mantra—“we take your privacy seriously”

• No confidence health industry protects personal data

Building Consumer TrustBuilding Consumer Trust

28

1/28/2016

15

29

Building Blocks for Consumer Trust


o Educate consumers about personal data collection, generation, use & disclosure practices

• Impersonal distribution of HIPAA Privacy Practices Notices neither consumer friendly nor sufficient

• Impersonal website/mobile app legalistic “Privacy Statement” neither consumer friendly nor sufficient

T. Morey, T. Forbath & A. Schoop, Customer Data: Designing for Transparency and Trust, Harvard Business Review (May 2015)

30



o Champion consumer engagement with and control of personal data

• Impersonal distribution of HIPAA Privacy Practices Notices insufficient communication of consumer’s PHI rights

• Mechanically responding to consumer’s PHI rights exercise insufficient to demonstrate consumer care


1/28/2016

16

31



o Deliver consumer health care wants in exchange for consumer’s permitted personal data collection, use & disclosure

• “Business as usual” insufficient in face of consumerism

• Insufficient to use enhanced personal data to facilitate targeted marketing or health plan business interests without transparent disclosure to consumer


32



o Make data protection every workforce member’s job responsibility

• Not enough to make data protection a priority only for compliance or IT

• Not enough to set data protection expectations for workforce without consequences for non-compliance

J. Winnefeld Jr., C. Kirchhoff & D. Upton, Cybersecurity’s Human Factor: Lessons from the Pentagon, Harvard Business Review (Sept. 2015)

1/28/2016

17

33



o Encourage data protection mistake self-reporting with focus on process improvement

• Not enough to mandate workforce self-reporting

• Not enough to treat intentional and unintentional workforce data protection lapses same


34



o Test data protection defenses regularly

• Not enough to conduct external attacks on internal information networks

• Not enough to conduct internal inspections of operational IT practices of network administrators


1/28/2016

18

35



o Motivate data protection commitment by reinforcing data protection positives

• Consumer caring

• Competitive necessity

• Essential to success

HCCA Managed Care Compliance Conference

Kathy RoeManaging Attorney & Co-FounderThe Health Law ConsultancyChicago, Illinois

[email protected]

(312) 332-7711 www.hlconsultancy.com

February 1, 2016

the zen of data protection · *strategy& (pwc), the birth of the healthcare consumer (oct....

Documents