The Zen of Data Protection · *Strategy& (PwC), The Birth of the Healthcare Consumer (Oct. 2014)...
Transcript of The Zen of Data Protection · *Strategy& (PwC), The Birth of the Healthcare Consumer (Oct. 2014)...
1/28/2016
1
Beyond HIPAA Compliance:
Privacy & Security in the Reform Era
© 2016 The Health Law Consultancy
Kathy RoeManaging Attorney & Co-Founder
The Health Law ConsultancyChicago, Illinois
[email protected](312) 332-7711
www.hlconsultancy.com
February 1, 2016
HCCA Managed Care Compliance Conference
2
The Zen ofData ProtectionThe Zen ofData Protection
1/28/2016
2
3
• Before enlightenment—
– Chop wood
– Carry water
• After enlightenment—
Chop wood
Carry water
Zen WisdomZen Wisdom
4
1/28/2016
3
Data ProtectionWood & Water
Data ProtectionWood & Water
o Essentials of data protection
• Risk analysis
• Risk management
• Safeguards
5
• Policies & procedures
• Workforce training
• Documentation
6
Data ProtectionChopping & Carrying
Data ProtectionChopping & Carrying
o Persistence with data protection wood & water—
• Continuously doing the essentials of data protection,
• Even when difficult, ignored or opposed
1/28/2016
4
The New Age ofData ProtectionThe New Age ofData Protection
7
8
Reform BegetsRetail Healthcare
Reform BegetsRetail Healthcare
o ACA Public Exchanges—Individuals’ option to shop individual & family health plans at retail
o ACA SHOPs—Small employers’ defined contribution option for employees to shop group health plans at retail
o Private Exchanges—All employers’ defined contribution option for employees to shop group health plans at retail
o Medicaid Waiver / Medicare Advantage / Medicare Part D—Individuals’ option to shop government health program private plans at retail
1/28/2016
5
*Strategy& (PwC), The Birth of the Healthcare Consumer (Oct. 2014)**PwC, Money Matters: Billing and Payment for a New Health Economy (May 2015)
9
Retail HealthcareEmpowers Consumerism
Retail HealthcareEmpowers Consumerism
o “The healthcare market . . . is being upended and the consumer is in the driver’s seat”*
o “American consumers were patients, not purchasers. This is changing rapidly as individuals shoulder more of the cost of their own care.”**
10
Consumerism BegetsConsumer Expectations
Consumerism BegetsConsumer Expectations
o Consumers want health care delivered with:
• Convenience
• Transparency
• Choice
• Value
• Personalization
1/28/2016
6
11
Consumer ExpectationsBeget Delivery Challenges
Consumer ExpectationsBeget Delivery Challenges
o In retail healthcare, success mandates seamless “consumer experience”
o Seamless “consumer experience” is
• One by one
• Consistent
• Across communication channels
• Across service providers
12
Data Strategy to Deliver“Consumer Experience”
Data Strategy to Deliver“Consumer Experience”
o Consumers’ data teach wants & likes
o Collect, analyze & use key personal data
• Consumer’s self-disclosed data
• Consumer’s provider-reported data
• Consumer’s digital exhaust
• Consumer’s profiling data
1/28/2016
7
13
Data Imperatives for Strategy to Work
Data Imperatives for Strategy to Work
o Consumer trust
o Consumer confidence
“In an information economy,access to data is critical, and
consumer trust is the key that will unlock it.”*
“In an information economy,access to data is critical, and
consumer trust is the key that will unlock it.”*
*T. Morey, T. Forbath & A. Schoop, Customer Data: Designing for Transparency and Trust, Harvard Business Review (May 2015)
Threatening Consumer TrustThreatening Consumer Trust
14
1/28/2016
8
15
Consumer TrustConsumer Trust
o Hard to earn
o Easy to betray
“[U]nderstanding and being responsive to customer needs [is how] businesses can [use] data to benefit companies
and consumers alike.”**
“[U]nderstanding and being responsive to customer needs [is how] businesses can [use] data to benefit companies
and consumers alike.”**
*PwC. Personal Health Management: The Rise of the Empowered Consumer (2015) **D. Rogers, How Business Can Gain Consumers Trust Around Data, Forbes (Nov. 2, 2015)
“Customer satisfaction is fragile; brands get blamed for bad experiences.”*
“Customer satisfaction is fragile; brands get blamed for bad experiences.”*
16
Threats to Consumer Trust:Bafflegab
Threats to Consumer Trust:Bafflegab
o Consumer accesses online account with PBM through health plan’s portal for mail order pharmacy Rx refill
o Consumer gets PBM’s prompt for permission to track consumer’s physical location
1/28/2016
9
17
Threats to Consumer Trust:Bafflegab
Threats to Consumer Trust:Bafflegab
o Consumer contacts health plan CSR:
“Why does [your PBM] need to track my physical location?”
o Health plan CSR:
“[PBM] does not track a member’s location. The location prompt is sometimes received if you’re using a mobile phone or iPad to help you find a pharmacy or store nearby.”
18
Threats to Consumer Trust:Bafflegab
Threats to Consumer Trust:Bafflegab
o Consumer:
“But I got the member location prompt while using a desktop computer for mail order pharmacy refill.”
o Health plan CSR:
“You may receive the location prompt so the website can help you find a pharmacy nearby. . . . For further questions regarding this prompt, please call the [PBM].”
1/28/2016
10
19
Threats to Consumer Trust:Bafflegab
Threats to Consumer Trust:Bafflegab
o Consumer Experience—Baffling
• No logical or legitimate explanation for location data request on mail order pharmacy Rx refill
• CSR did nothing to help or support consumer
• No confidence health plan or PBM isn’t fishing for personal data for undisclosed purposes
20
Threats to Consumer Trust:Creepiness
Threats to Consumer Trust:Creepiness
o Consumer enrolls in Medicare Advantage HMO on health plan’s website; reviews HMO’s online provider directory
o Consumer receives ID card assigning PCP reviewed, but not selected, online
o Consumer calls PCP at number on ID card; learns PCP left practice
1/28/2016
11
21
Threats to Consumer Trust:Creepiness
Threats to Consumer Trust:Creepiness
o Consumer contacts health plan CSR:
“Got ID card with PCP name and number, but PCP isn’t there.”
o Health plan CSR:
“You may find another PCP on our website.”
22
Threats to Consumer Trust:Creepiness
Threats to Consumer Trust:Creepiness
o Consumer Experience—Perplexing
• No explanation how health plan learned to associate PCP with consumer
• No confidence health plan isn’t data mining access of its website for undisclosed purposes
1/28/2016
12
23
Threats to Consumer Trust:Unresponsive
Threats to Consumer Trust:Unresponsive
o Consumer makes written request to health plan for PHI electronic copy, referencing Privacy Rule access right and requesting email delivery
o Health plan responds, “unable to send PHI electronically . . . because email is not a secure method of transmission.”
24
Threats to Consumer Trust:Unresponsive
Threats to Consumer Trust:Unresponsive
o Privacy Rule on Access Rights:• “[I]f the individual requests . . ., the covered entity
must provide [PHI] in the electronic form and format requested [if] readily producible . . .;
• “if not, in a readable electronic form and format as agreed to by the covered entity and the individual”*
o OCR Preamble on Access Rights:• “[I]ndividuals . . . notified of the risks [who] still
prefer unencrypted email [have] the right to receive [PHI] in that way”**
*45 CFR 164.524(c)(2)(ii)**78 Fed. Reg. 5566, 5634 (Jan. 25, 2013)
1/28/2016
13
25
Threats to Consumer Trust:Unresponsive
Threats to Consumer Trust:Unresponsive
o Consumer Experience—Aggravation
• No notification (despite OCR) consumer may accept risk and receive PHI electronic copy by email
• No alternative offer
• No confidence health plan cares about consumer’s convenience or legal compliance with consumer’s rights
26
Threats to Consumer Trust:Lax Cybersecurity
Threats to Consumer Trust:Lax Cybersecurity
o CY2015—52 covered entities hacked for “large” unsecured PHI breaches
• 24 (or 46%) were health plans
• But health plan hacks compromised PHI of95% (i.e., 103M of 108M) of affected consumers*
*OCR Breach Portal as of Jan. 3, 2016
1/28/2016
14
27
Threats to Consumer Trust:Lax Cybersecurity
Threats to Consumer Trust:Lax Cybersecurity
o Consumer Experience—Anxiety
• Health industry track record belies standard industry mantra—“we take your privacy seriously”
• No confidence health industry protects personal data
Building Consumer TrustBuilding Consumer Trust
28
1/28/2016
15
29
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Educate consumers about personal data collection, generation, use & disclosure practices
• Impersonal distribution of HIPAA Privacy Practices Notices neither consumer friendly nor sufficient
• Impersonal website/mobile app legalistic “Privacy Statement” neither consumer friendly nor sufficient
T. Morey, T. Forbath & A. Schoop, Customer Data: Designing for Transparency and Trust, Harvard Business Review (May 2015)
30
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Champion consumer engagement with and control of personal data
• Impersonal distribution of HIPAA Privacy Practices Notices insufficient communication of consumer’s PHI rights
• Mechanically responding to consumer’s PHI rights exercise insufficient to demonstrate consumer care
T. Morey, T. Forbath & A. Schoop, Customer Data: Designing for Transparency and Trust, Harvard Business Review (May 2015)
1/28/2016
16
31
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Deliver consumer health care wants in exchange for consumer’s permitted personal data collection, use & disclosure
• “Business as usual” insufficient in face of consumerism
• Insufficient to use enhanced personal data to facilitate targeted marketing or health plan business interests without transparent disclosure to consumer
T. Morey, T. Forbath & A. Schoop, Customer Data: Designing for Transparency and Trust, Harvard Business Review (May 2015)
32
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Make data protection every workforce member’s job responsibility
• Not enough to make data protection a priority only for compliance or IT
• Not enough to set data protection expectations for workforce without consequences for non-compliance
J. Winnefeld Jr., C. Kirchhoff & D. Upton, Cybersecurity’s Human Factor: Lessons from the Pentagon, Harvard Business Review (Sept. 2015)
1/28/2016
17
33
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Encourage data protection mistake self-reporting with focus on process improvement
• Not enough to mandate workforce self-reporting
• Not enough to treat intentional and unintentional workforce data protection lapses same
J. Winnefeld Jr., C. Kirchhoff & D. Upton, Cybersecurity’s Human Factor: Lessons from the Pentagon, Harvard Business Review (Sept. 2015)
34
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Test data protection defenses regularly
• Not enough to conduct external attacks on internal information networks
• Not enough to conduct internal inspections of operational IT practices of network administrators
J. Winnefeld Jr., C. Kirchhoff & D. Upton, Cybersecurity’s Human Factor: Lessons from the Pentagon, Harvard Business Review (Sept. 2015)
1/28/2016
18
35
Building Blocks for Consumer Trust
Building Blocks for Consumer Trust
o Motivate data protection commitment by reinforcing data protection positives
• Consumer caring
• Competitive necessity
• Essential to success
HCCA Managed Care Compliance Conference
Kathy RoeManaging Attorney & Co-FounderThe Health Law ConsultancyChicago, Illinois
(312) 332-7711 www.hlconsultancy.com
February 1, 2016