Partner Perspective: Clear Roles of Responsibility & Constant Communication Keys to Staying Abreast of Dizzying Privacy Landscape

Health system executives are faced with a dizzying kaleidoscope of constantly evolving privacy regulations, making compliance a full time job that spans multiple roles. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Teresa Burns, Director of Privacy Operations and Privacy Officer with Protenus, suggests strategies for staying up on what’s going down, as well as how to leverage teamwork and clear assignments to keep in compliance.





Bold Statement

There’s multiple levels and, at some point, you ask: which one do I comply with or how do I comply with all of them? That is frustrating, it is a challenge and it is expensive. The question would be: how do you keep on top of all of it. It’s not easy.

The problem is recently some people view agencies as overstepping their bounds and actually passing their own laws, going beyond what the agency objectives are supposed to be which is enforcing already existing laws.

In a smaller institution, you need to talk about whose job is this going to be. Because if you don’t talk about it, and you don’t assign someone, nobody is going to do it. Nobody has the time, nobody has the staff or the resources, so it has to be a discussion, and it has to be part of somebody’s KPI, somebody’s goals.

Anthony: Welcome to healthsystemsCIO’s Partner Perspective Interview Series. I’m Anthony Guerra, Founder and Editor-in-Chief. Today, we’re talking with Teresa Burns, Director of Privacy Operations and Privacy Officer with Protenus. Teresa, thanks for joining me today.

Teresa: Thank you for having me. I appreciate the opportunity to be here.

Anthony: Do you want to start off by telling me a little bit about your organization and your role.

Teresa: I am the Chief Privacy Officer for Protenus. Protenus is a compliance data analytics company that works with large and small health systems and hospitals to monitor accesses to patient records. We also have a drug diversion product where we assist hospitals with monitoring the flow of regulated drugs through their system. The company has been in business for 10 years. I have been with the company as their Privacy Officer for 6 years.

Anthony: You were with Johns Hopkins, correct?

Teresa: I was previously with Johns Hopkins as the Deputy Privacy Officer.

Anthony: You did that for a while?

Teresa: I did that for approximately 9 years. I was with Johns Hopkins for a total of 13 years where I did some work related to contracting, purchase of medical equipment and lab and pathology services.

Anthony: I did an interview recently and the CIO on the call expressed a lot of frustration with all the different privacy laws and how difficult it is to stay on top of everything and stay in compliance. Let’s talk about that dynamic.

Teresa: Okay.

Anthony: A lot of health systems now span multiple states. As a CIO, you could be in one state, you could be in multiple states, you could be in half the country. But you have to make sure you’re in compliance not just with the laws of the state you’re in but any state you’re operating in, and then pretty much every state. Because you could have a patient come from California or Chicago where the privacy laws are quite distinct and specific.

Teresa: That frustration is shared by many, not just CIOs but anyone who is working in healthcare compliance whether it’s from the security or privacy side. The main law was HIPAA and then in the last 5 years or so we saw other laws passed, many other federal and state agencies getting involved in putting their stamp on what they think the privacy regulations should be. Any time you have multiple, layered regulations, you have complexities and confusion and increased cost to comply.

Right now, obviously,