Recently, Donna Grindle was interviewed on the Caveat podcast discussing HIPAA. The transcripts for her interview are included here but listen to the show below or follow the link provided to the entire show transcript.
Dave Bittner: [00:28:09] And we are back. Ben, I recently had the pleasure of speaking with Donna Grindle. She is the founder and CEO of a company called Kardon, which does a lot of consulting and training and education when it comes to HIPAA. And she’s also one of the hosts of the “Help Me With HIPAA” podcast. She reached out to us. She was listening to our show, and she responded – maybe a few episodes ago, you and I were talking about some HIPAA things.
Ben Yelin: [00:28:33] Yes, we were. Yes.
Dave Bittner: [00:28:35] And so Donna reached out. And she said she had some comments, and I said, well, come on the show because we could certainly stand to learn a little more about HIPAA from an expert. So here’s my conversation with Donna Grindle.
Donna Grindle: [00:28:47] A lot of people don’t realize it, but prior to HIPAA, there really was no medical privacy. Everybody thinks doctor-patient confidentiality was a law, but it really wasn’t; it was just kind of an assumed thing until HIPAA was enacted in 1996. But then it didn’t actually – even though it was passed in ’96, the privacy part of it came into effect in 2003, followed by the code set standards, which are in there, as well as the security rule in 2005. So there’s really a lot to the HIPAA law, that people mostly just understand the privacy part. But there’s a lot there. The original version was called voluntary compliance. So that’s kind of what we call like, the speed limit is voluntary.
0:29:38:(LAUGHTER)
Donna Grindle: [00:29:40] So in the stimulus bills – what we most know it as, the ARRA – in 2009, they added – the HITECH Act was a tiny, little piece of that. But what its intent was, was to stimulate the economy – obviously, that’s what the intent was – but by providing assistance and funding to the health care industry for implementing electronic records. And as part of that, you had to show that you were – meaningful use requirements, that you were actually using them; you weren’t just buying them. And they beefed up HIPAA because they said, hey, we’re going to have a whole lot more out there, and we see where we’re going.
Donna Grindle: [00:30:23] And it added enforcement. It added breach notification, along with some genetic requirements under the privacy rule and those kind of things. And that really changed the HIPAA universe because that’s where it really added meat to the business associate requirements, which is what launched my original contact – podcast that talks about privacy law. I mean, that’s what I do all day, every day. So I’m like, oh, nerdy stuff.
Dave Bittner: [00:30:49] (Laughter) Well, let’s dig into that some. I mean, Ben and I, on a previous show, we discussed the HIPAA business associate requirements. Can you lay that out for us? I mean, what are they? And in the real world, how do they play out?
Donna Grindle: [00:31:01] Yeah, it’s one of those things where when you tell people that you do HIPAA for a living, and their answer is, oh, that thing I signed at the doctor.
Dave Bittner: [00:31:09] Mmm hmm.
Donna Grindle: [00:31:10] Yeah, that’s a little bit of it. But the concept is that those who provide care, provide payment for that care or process those payments are covered entities, but any company that provides a service to those covered entities that the nature of their work requires them to have access to that protected health information, they are then business associates and have to commit to providing the same types of security requirements and the privacy protections that the covered entities do. It’s kind of like that chain of custody protections that a lot of people know from the legal shows. The concept is that if your job is going to require you to have this, then you have to do the same things I do to protect the privacy and security of the patient information. So the beauty of the high-tech law was it changed it to actually for the first time say that a business associate was separate and equally liable for the protections under HIPAA, which didn’t exist before.
Dave Bittner: [00:32:20] In terms of this actually playing out in the real world, how does that work? I mean, do organizations find loopholes around these sorts of things? What really happens?
Donna Grindle: [00:32:29] Yeah, they try to. There’s a lot of that. One of the reasons that the Office for Civil Rights, who is the HIPAA police, the office for Civil Rights under the Health and Human Services Department, they issued some very specific guidance early on that said it isn’t the business associate contract that you’re obligated to sign under HIPAA that makes you a business associate. It is the work that you do that makes you one. And there are still people who believe if I don’t sign that contract, then I’m not obligated. Really, what that means is that you’re in two kinds of trouble.
Dave Bittner: [00:33:06] (Laughter) Go on.
Donna Grindle: [00:33:08] (Laughter) Because by not signing the contract and doing the work, you are violating HIPAA right away. And that also means that your covered entity that you are contracting with or what we call the upstream business associate because it’s a long tail – it doesn’t stop just at that first level – those people who are allowing you to do the work without the contract in place, they’re violating HIPAA every day. So you’re in a double violation every single day that’s occurring. One is you’re doing the work that you should have a contract for. And then the second one is technically that’s a data breach every day they have it because they’re not authorized to have it. So that’s big pile of trouble every day that you’re doing it.
Dave Bittner: [00:33:55] Wow. Help me understand. We have this flood of devices that are collecting personal data about us. You know, our watches are collecting information about our heartbeats and we’re weighing ourselves. And we’re – you know, women are tracking their cycles and all of these things that could be considered private medical information. Where does all that fall when it comes to that collection and HIPAA?
Donna Grindle: [00:34:21] Nowhere (laughter). It’s completely outside of HIPAA. That’s one of the problems that we constantly are discussing in the industry because HIPAA, remember, only applies to those that are providing care or payment for that care, so the insurance companies or those providing care. These companies technically can do whatever they choose to put in their privacy policy with your data when you give it to them. Now, the caveat is – and this is that original discussion that you were having with Ben – was that if I as the covered entity, the – let’s just – for simplicity, we’ll say it’s your doctor’s office. The doctor wants to use a device to track your heartbeat. OK. And the doctor gives it to you. Now, it’s covered under HIPAA because the doctor gave it to you. But if you go out and buy it yourself, there’s no connection to HIPAA whatsoever. So that is the key piece.
Donna Grindle: [00:35:22] And the discussion you were having was that this health record company had in their privacy policy that they were going to share for marketing purposes, and they were arguing that they weren’t a business associate. You know, that’s a common argument that we deal with on a daily basis almost. But that case, the particular product you were talking about in the article is owned by an electronic records company. So right away, you know, there’s that piece of you already know you’re a business associate. They have to be. Your IT companies are a big problem in a lot of cases. Not all of them. Many of them are very good at it. But it’s particularly the smaller ones who think that HIPAA just means I got to do some security and sign some paperwork. And it’s way more than that where there’s that confusion that’s just built in on who is one, who isn’t one, even who’s a covered entity. For example, if you use concierge medicine, you know, where it’s pay in cash…
Dave Bittner: [00:36:23] Right.
Donna Grindle: [00:36:24] …Or the very popular med spas…
Dave Bittner: [00:36:27] Oh, yeah.
Donna Grindle: [00:36:28] …Where you pay in cash, if they never file an electronic claim for your care because you’re paying in cash – they won’t – they’re not covered under HIPAA either.
Dave Bittner: [00:36:36] Wow.
Donna Grindle: [00:36:37] I know. It’s quite tricky just figuring out who’s covered and how they’re covered and what role they play in the industry as a whole. And the health care industry is a behemoth. I mean, it’s huge…
Dave Bittner: [00:36:48] Yeah.
Donna Grindle: [00:36:48] …And quite complicated, and it is not getting any better.
Dave Bittner: [00:36:52] As the cybersecurity industry heads down this path, the ball got rolling with GDPR as we’re heading down this privacy legislation and regulation path. What does your experience with HIPAA and how that has affected a huge industry, what sort of insights or advice do you have for the folks who are at the leading edge of that journey in the cybersecurity realm?
Donna Grindle: [00:37:16] First, I mean, I would want to consider the bleeding edge because it is very hard. Even in health care today, I have a hard time. There is a perception that everybody worries about HIPAA. No, it’s not. What they worry about is patient confidentiality. Yes, most people do worry about that in the health care world. But when it gets down to the intricacies of HIPAA, even teaching my clients – and I say you can’t look at your own records, and they have a fit. They’re like, what do you mean? And I explain you’re only supposed to look at records when it’s part of doing your job and only if you’re involved in treating the patient, collecting payment for that treatment or it’s something specifically requires access to it to run the business, like an AR report or something like that.
Donna Grindle: [00:38:09] If you’re not doing one of those things, you shouldn’t look at your own records. Well, how am I ever going to see them? Well, you’re just like every other patient. You go through the same process. So when we have that at the health care level and, you know, – what? – 2003 that rule’s been in place, yet they don’t even – that didn’t change in high tech. That’s the same rule that’s always been there since 2003. And you look at – you got CCPA, GDPR, Texas, Nevada, all of these other areas in the United States. Every state is enacting its own privacy rules. And some of those involve data breach notification, and they’re at different timeframes and all these other things. And until there’s federal action, we won’t have that under control so that you can standardize it.
Donna Grindle: [00:38:59] So as cybersecurity professionals, the most important thing you can do is understand that security doesn’t make you compliant. So just assuming that if you’re doing the security things, you’re meeting regulations and meeting the regulations doesn’t make you secure, which is what a lot of people do is they just do a gap analysis of, you know, do I have all of the policies and procedures in place? You have to do both. Use a framework, the CIS 20, the NIST cybersecurity framework or even health care published just in December, the – ironically, this is – health care is the regulated industry, the Cybersecurity Act of 2015 – you familiar with the CISA?
Dave Bittner: [00:39:46] Mmm hmm. Sure.
Donna Grindle: [00:39:47] So in that, it covered all of the federal government, cybersecurity, education, building the workforce. The only industry singled out in the national Cybersecurity Act was health care because they needed more cybersecurity. It is a problem. And as part of that, it’s known as the CSA 405(d). There’s a task force that met and was involved. They completed the initial pass, December 28, 2018. So it’s almost a year. It’s called hiccup (ph) because nerds.
Dave Bittner: [00:40:26] (Laughter).
Donna Grindle: [00:40:26] But it’s HICP. If you look for it, it’s like protecting patients, a big, long thing and hence hiccup. There’s also now HICS (unintelligible), which is a whole nother thing. But that has to do with…
Dave Bittner: [00:40:38] They do love their acronyms, don’t they (laughter)?
Donna Grindle: [00:40:39] I know, right? I love being a nerd, you know? It lets me make up words. That’s how we have Google it.
Dave Bittner: [00:40:45] Right.
Donna Grindle: [00:40:46] But the HICP guide is designed for small, medium and large companies to be able to take that guide – there’s a guide that gives you explanations of five threats that everybody deals with.
Dave Bittner: [00:41:00] So is it fair to say that one of the lessons gained from what the medical industry has gone through with HIPAA is that none of this happens overnight. You know, this is a long journey.
Donna Grindle: [00:41:11] Yes, very much so, and it’s ongoing. It’s a process of continuing improvement. It’s not a once a year, once a week kind of thing. You need to think about it and live it all the time. So every single meeting, every decision, every thing that you discuss, somebody needs to say, does this have any privacy or security applications or problems or do we need to do anything about it? It should be part of your discussions, no matter what you’re talking about. Well, maybe not lunch.
Dave Bittner: [00:41:44] (Laughter).
Donna Grindle: [00:41:45] But depending on where you work, it could be lunch if you listen to the stories, you know, of what some of these pen testers are able to do. But you know what I’m saying.
Dave Bittner: [00:41:56] So, Ben, I don’t know about you, but I am definitely going to subscribe to the “Help Me With HIPAA” podcast just to get to listen to Donna.
Ben Yelin: [00:42:02] Oh, for sure. I’m sort of jealous that you got to interview her and I didn’t because it was so entertaining.
Dave Bittner: [00:42:09] Yeah, she’s great. She’s great.
Ben Yelin: [00:42:10] Donna, if you ever want us to be on your podcast, we are very willing participants.
Dave Bittner: [00:42:15] Say the word.
Ben Yelin: [00:42:16] We are now part of the Donna Grindle fan club, so thank you for that. I thought you brought up some very interesting points during her interview. I think she gave great clarity on the business association relationship as it relates to HIPAA. So if the nature of your work requires you as an organization to have access to any health care information, you are a business association. You have to apply the same privacy and security practices as if you were one of the covered entities. And if there is a breach of that information, you are jointly liable with that health care provider. It doesn’t seem like there’s widespread knowledge in the industry, especially associations that aren’t fully operating in the health care realm…
Dave Bittner: [00:42:59] Yeah.
Ben Yelin: [00:42:59] …That they are subject to this liability.
Dave Bittner: [00:43:01] I wonder how much of that is willful ignorance.
Ben Yelin: [00:43:04] I’m sure a lot of it is.
Dave Bittner: [00:43:06] (Laughter) I bet Donna has a take on that.
Ben Yelin: [00:43:08] Yeah. And one thing that I think she made very clear, which is also interesting, is there’s a long tail. You know, these covered entities have a lot of contractors, a lot of different relationships. For various reasons, a lot of organizations, as it relates to a single medical record, are going to at one point have access to that record. And it is a joint responsibility, both in an ethical sense but also in a legal sense, to safeguard that data. Another thing that stuck out to me in hearing this conversation is how helpful it is for health care organizations, covered entities and business associations to have clear guidance. And they have clear guidance because there is this federal statute. And even though as she said that statute has been constantly evolving, it’s there. There’s one federal law that deals with this area of information privacy.
Ben Yelin: [00:44:00] You’d only need one Donna to fully understand the consequences of HIPAA for your organization. When it comes to data privacy in general, as she mentions and as we’ve mentioned, we don’t have that yet because there really isn’t a federal statute. And, you know, I think HIPAA actually sets a valuable example of we could have some sort of national clarity, some uniform standards that apply at every health organization across the country. And it’s portable, meaning if you, you know, get trained in HIPAA compliance in Maryland, it’s still applicable in Virginia. And it just makes life easier for people who work in the field who don’t have a lot of time or resources to think about their legal liability.
Dave Bittner: [00:44:39] Yeah.
Ben Yelin: [00:44:39] So that’s something that I think would be a major advantage of federal data privacy legislation.
Dave Bittner: [00:44:43] Yeah. Really interesting insights. So our thanks to Donna Grindle for joining us. Her podcast is the “Help Me With HIPAA” podcast. Do check it out. We want to thank all of you for listening.
– More at: https://thecyberwire.com/podcasts/cw-podcasts-caveat-2019-12-11.html