Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level
By Deidre Rodriguez, CIPP/US
The healthcare world is becoming increasingly complex, especially in terms of compliance and privacy. New technologies, shifting delivery care models and continuous innovation make privacy challenging. When you stand back and look at the complexity of the industry, 10 basic steps come to light that together create a quality privacy program.
1) Create roadmaps or crosswalks of regulatory/contractual requirements.
Gather all privacy compliance requirements that pertain to your organization. It is difficult to comply if you do not know specifically what your compliance requirements are. Create a map or crosswalk that shows the related policies, procedures, tools/resources, training and communications on how you comply with those requirements.
2) Perform a risk assessment.
Preparing a comprehensive risk assessment that looks at all aspects of privacy as it relates to your organization is essential. Use a risk-ranking model that measures the risk in terms of risk/impact to business areas and the organization as a whole, risk to member/patient/customer, risk in terms of regulatory impact/compliance/scrutiny/fines and penalties, risk in terms of contractual agreements or impact on relationships with those that you contract with, risk impact related to issues that may cause loss of trust or end up in the public realm, whether it’s local or national media or the posting of an incident on your website for notification purposes. Consider regulatory compliance, potential audits, projects, new technology, policies and processes, industry changes, as well as external threats/impacts. Look at the maturity of your privacy program while doing your risk assessment to determine if the immaturity of your program in a particular area poses risk.
3) Develop Privacy by Design tools that are specific to your organization.
Privacy by Design tools incorporate general rules that business areas must integrate in order to build in controls at the ground level. When designing these tools, look at regulatory requirements, industry standards, incorporate important rules and approvals directly from organizational policy. Include direction on who employees need to contact and when for these approvals.
4) Require Privacy Impact Assessments (PIAs).
Incorporate Privacy by Design tools into required PIAs. Require PIAs on projects where data will be collected, used or disclosed. Refer to related and applicable Privacy by Design tools during the PIA process so that program/project managers utilize these tools when building business and technical requirements and in their analysis of privacy impact. Require that there are controls and approvals—when necessary—for each privacy risk identified in the PIA. For each item that appears on your risk assessment, have a plan for how you will improve. You may need an interim as well as a long-term plan for each.
5) Create an audit prep plan/program.
Determine where and for which regulatory requirements that you are likely to be audited and develop a plan. Think through the simplest details first, such as where the auditors will sit during the audit, what access will they need and how to get that quickly. Then move to the more complex issues, such as what will they potentially ask for, who will have it, how will you get that information quickly. Test your assumptions. Finally, think through the final stages of the audit; for instance, who will review and sign off on any materials given to auditors, how to implement any corrective actions that come from potential finding, which leaders in the organization need to be informed of the audit results and how to debrief and implement lessons learned from sessions with the auditors and after the audit.
6) Test your incident response program.
Although you may use your incident response program daily, it is important to test the process. You may want to invite key stakeholders/participants to a meeting and divide them into groups. Have a list of detailed scenarios written down that the groups can walk through. This process will help test participant understanding of policies, processes, tools and resources, as well as their understanding of roles, responsibilities and accountability. It will also bring to light discrepancies in processes, differences in understanding, help identify tools/resources that may be needed and identify potential best practices.
7) Identify the root cause; implement corrective actions and document sanctions.
On each incident, ensure that you identify and tie your actions back to root cause, implementing and thoroughly documenting corrective actions and documenting related sanctions. Regulators will ask for these key elements when doing an investigation or audit. Organizations have turnover, and people often cannot remember exactly what steps were taken after a period of time has passed. Ensure that documentation is accurate, thorough and complete. Read it from an outsider’s perspective to ensure that you would be able to understand what happened if you were not part of the organization. Have this information in a reportable format so that it can easily be shared when needed.
8) Apply lessons that have been learned from others’ mistakes.
Read industry news where others have made mistakes and determine if those issues do or could exist within your organization. Develop corrective action plans, and address issues before they occur in your organization. Regulators take a hardline on mistakes that have been in the press and that are repeated by others.
9) Create a written plan for addressing known issues.
Write down all identified issues, along with an interim and long term corrective action plan. Even though organizations may have issues, if you can show a regulator that you are aware of an issue, you are addressing it in some form and that you have a plan, that will help your cause.
10) Monitoring and trending.
Any policy, process, system, etc., that you own, find a way to measure what you are doing so that the data tells a meaningful story. This data will make your program solid and make it easier for you to sell privacy within the organization if you can back up what you are saying with data. This will also show customers, regulators and others that you have a mature program that you measure and monitor. Implement action steps based on the findings from your data to continuously improve and mature your program.
Deidre Rodriguez, CIPP/US, has actively been working in privacy compliance for 10 years including policy development, incident response, advisory support and strategic planning. Currently, Deidre is the director of the Corporate Privacy Office and Regulatory Oversight for WellPoint, Inc.