Recently, Donna Grindle was interviewed on the Caveat podcast discussing HIPAA. The transcripts for her interview are included here but listen to the show below or follow the link provided to the entire show transcript.
Dave Bittner: [00:28:09] And we are back. Ben, I recently had the pleasure of speaking with Donna Grindle. She is the founder and CEO of a company called Kardon, which does a lot of consulting and training and education when it comes to HIPAA. And she’s also one of the hosts of the “Help Me With HIPAA” podcast. She reached out to us. She was listening to our show, and she responded – maybe a few episodes ago, you and I were talking about some HIPAA things.
Ben Yelin: [00:28:33] Yes, we were. Yes.
Dave Bittner: [00:28:35] And so Donna reached out. And she said she had some comments, and I said, well, come on the show because we could certainly stand to learn a little more about HIPAA from an expert. So here’s my conversation with Donna Grindle.
Donna Grindle: [00:28:47] A lot of people don’t realize it, but prior to HIPAA, there really was no medical privacy. Everybody thinks doctor-patient confidentiality was a law, but it really wasn’t; it was just kind of an assumed thing until HIPAA was enacted in 1996. But then it didn’t actually – even though it was passed in ’96, the privacy part of it came into effect in 2003, followed by the code set standards, which are in there, as well as the security rule in 2005. So there’s really a lot to the HIPAA law, that people mostly just understand the privacy part. But there’s a lot there. The original version was called voluntary compliance. So that’s kind of what we call like, the speed limit is voluntary.
Donna Grindle: [00:29:40] So in the stimulus bills – what we most know it as, the ARRA – in 2009, they added – the HITECH Act was a tiny, little piece of that. But what its intent was, was to stimulate the economy – obviously, that’s what the intent was – but by providing assistance and funding to the health care industry for implementing electronic records. And as part of that, you had to show that you were – meaningful use requirements, that you were actually using them; you weren’t just buying them. And they beefed up HIPAA because they said, hey, we’re going to have a whole lot more out there, and we see where we’re going.
Donna Grindle: [00:30:23] And it added enforcement. It added breach notification, along with some genetic requirements under the privacy rule and those kind of things. And that really changed the HIPAA universe because that’s where it really added meat to the business associate requirements, which is what launched my original contact – podcast that talks about privacy law. I mean, that’s what I do all day, every day. So I’m like, oh, nerdy stuff.
Dave Bittner: [00:30:49] (Laughter) Well, let’s dig into that some. I mean, Ben and I, on a previous show, we discussed the HIPAA business associate requirements. Can you lay that out for us? I mean, what are they? And in the real world, how do they play out?
Donna Grindle: [00:31:01] Yeah, it’s one of those things where when you tell people that you do HIPAA for a living, and their answer is, oh, that thing I signed at the doctor.
Dave Bittner: [00:31:09] Mmm hmm.
Donna Grindle: [00:31:10] Yeah, that’s a little bit of it. But the concept is that those who provide care, provide payment for that care or process those payments are covered entities, but any company that provides a service to those covered entities that the nature of their work requires them to have access to that protected health information, they are then business associates and have to commit to providing the same types of security requirements and the privacy protections that the covered entities do. It’s kind of like that chain of custody protections that a lot of people know from the legal shows. The concept is that if your job is going to require you to have this, then you have to do the same things I do to protect the privacy and security of the patient information. So the beauty of the high-tech law was it changed it to actually for the first time say that a business associate was separate and equally liable for the protections under HIPAA, which didn’t exist before.
Dave Bittner: [00:32:20] In terms of this actually playing out in the real world, how does that work? I mean, do organizations find loopholes around these sorts of things? What really happens?
Donna Grindle: [00:32:29] Yeah, they try to. There’s a lot of that. One of the reasons that the Office for Civil Rights, who is the HIPAA police, the office for Civil Rights under the Health and Human Services Department, they issued some very specific guidance early on that said it isn’t the business associate contract that you’re obligated to sign under HIPAA that makes you a business associate. It is the work that you do that makes you one. And there are still people who believe if I don’t sign that contract, then I’m not obligated. Really, what that means is that you’re in two kinds of trouble.
Dave Bittner: [00:33:06] (Laughter) Go on.
Donna Grindle: [00:33:08] (Laughter) Because by not signing the contract and doing the work, you are violating HIPAA right away. And that also means that your covered entity that you are contracting with or what we call the upstream business associate because it’s a long tail – it doesn’t stop just at that first level – those people who are allowing you to do the work without the contract in place, they’re violating HIPAA every day. So you’re in a double violation every single day that’s occurring. One is you’re doing the work that you should have a contract for. And then the second one is technically that’s a data breach every day they have it because they’re not authorized to have it. So that’s big pile of trouble every day that you’re doing it.
Dave Bittner: [00:33:55] Wow. Help me understand. We have this flood of devices that are collecting personal data about us. You know, our watches are collecting information about our heartbeats and we’re weighing ourselves. And we’re – you know, women are tracking their cycles and all of these things that could be considered private medical information. Where does all that fall when it comes to that collection and HIPAA?
Dave Bittner: [00:36:23] Right.
Donna Grindle: [00:36:24] …Or the very popular med spas…
Dave Bittner: [00:36:27] Oh, yeah.
Dave Bittner: [00:36:36] Wow.
Donna Grindle: [00:36:37] I know. It’s quite tricky just figuring out who’s covered and how they’re covered and what role they play in the industry as a whole. And the health care industry is a behemoth. I mean, it’s huge…
Dave Bittner: [00:36:48] Yeah.
Donna Grindle: [00:36:48] …And quite complicated, and it is not getting any better.
Dave Bittner: [00:36:52] As the cybersecurity industry heads down this path, the ball got rolling with GDPR as we’re heading down this privacy legislation and regulation path. What does your experience with HIPAA and how that has affected a huge industry, what sort of insights or advice do you have for the folks who are at the leading edge of that journey in the cybersecurity realm?
Donna Grindle: [00:37:16] First, I mean, I would want to consider the bleeding edge because it is very hard. Even in health care today, I have a hard time. There is a perception that everybody worries about HIPAA. No, it’s not. What they worry about is patient confidentiality. Yes, most people do worry about that in the health care world. But when it gets down to the intricacies of HIPAA, even teaching my clients – and I say you can’t look at your own records, and they have a fit. They’re like, what do you mean? And I explain you’re only supposed to look at records when it’s part of doing your job and only if you’re involved in treating the patient, collecting payment for that treatment or it’s something specifically requires access to it to run the business, like an AR report or something like that.
Donna Grindle: [00:38:09] If you’re not doing one of those things, you shouldn’t look at your own records. Well, how am I ever going to see them? Well, you’re just like every other patient. You go through the same process. So when we have that at the health care level and, you know, – what? – 2003 that rule’s been in place, yet they don’t even – that didn’t change in high tech. That’s the same rule that’s always been there since 2003. And you look at – you got CCPA, GDPR, Texas, Nevada, all of these other areas in the United States. Every state is enacting its own privacy rules. And some of those involve data breach notification, and they’re at different timeframes and all these other things. And until there’s federal action, we won’t have that under control so that you can standardize it.
Donna Grindle: [00:38:59] So as cybersecurity professionals, the most important thing you can do is understand that security doesn’t make you compliant. So just assuming that if you’re doing the security things, you’re meeting regulations and meeting the regulations doesn’t make you secure, which is what a lot of people do is they just do a gap analysis of, you know, do I have all of the policies and procedures in place? You have to do both. Use a framework, the CIS 20, the NIST cybersecurity framework or even health care published just in December, the – ironically, this is – health care is the regulated industry, the Cybersecurity Act of 2015 – you familiar with the CISA?
Dave Bittner: [00:39:46] Mmm hmm. Sure.
Donna Grindle: [00:39:47] So in that, it covered all of the federal government, cybersecurity, education, building the workforce. The only industry singled out in the national Cybersecurity Act was health care because they needed more cybersecurity. It is a problem. And as part of that, it’s known as the CSA 405(d). There’s a task force that met and was involved. They completed the initial pass, December 28, 2018. So it’s almost a year. It’s called hiccup (ph) because nerds.
Dave Bittner: [00:40:26] (Laughter).
Donna Grindle: [00:40:26] But it’s HICP. If you look for it, it’s like protecting patients, a big, long thing and hence hiccup. There’s also now HICS (unintelligible), which is a whole nother thing. But that has to do with…
Dave Bittner: [00:40:38] They do love their acronyms, don’t they (laughter)?
Donna Grindle: [00:40:39] I know, right? I love being a nerd, you know? It lets me make up words. That’s how we have Google it.
Dave Bittner: [00:40:45] Right.
Donna Grindle: [00:40:46] But the HICP guide is designed for small, medium and large companies to be able to take that guide – there’s a guide that gives you explanations of five threats that everybody deals with.
Dave Bittner: [00:41:00] So is it fair to say that one of the lessons gained from what the medical industry has gone through with HIPAA is that none of this happens overnight. You know, this is a long journey.
Donna Grindle: [00:41:11] Yes, very much so, and it’s ongoing. It’s a process of continuing improvement. It’s not a once a year, once a week kind of thing. You need to think about it and live it all the time. So every single meeting, every decision, every thing that you discuss, somebody needs to say, does this have any privacy or security applications or problems or do we need to do anything about it? It should be part of your discussions, no matter what you’re talking about. Well, maybe not lunch.
Dave Bittner: [00:41:44] (Laughter).
Donna Grindle: [00:41:45] But depending on where you work, it could be lunch if you listen to the stories, you know, of what some of these pen testers are able to do. But you know what I’m saying.
Dave Bittner: [00:41:56] So, Ben, I don’t know about you, but I am definitely going to subscribe to the “Help Me With HIPAA” podcast just to get to listen to Donna.
Ben Yelin: [00:42:02] Oh, for sure. I’m sort of jealous that you got to interview her and I didn’t because it was so entertaining.
Dave Bittner: [00:42:09] Yeah, she’s great. She’s great.
Ben Yelin: [00:42:10] Donna, if you ever want us to be on your podcast, we are very willing participants.
Dave Bittner: [00:42:15] Say the word.
Ben Yelin: [00:42:16] We are now part of the Donna Grindle fan club, so thank you for that. I thought you brought up some very interesting points during her interview. I think she gave great clarity on the business association relationship as it relates to HIPAA. So if the nature of your work requires you as an organization to have access to any health care information, you are a business association. You have to apply the same privacy and security practices as if you were one of the covered entities. And if there is a breach of that information, you are jointly liable with that health care provider. It doesn’t seem like there’s widespread knowledge in the industry, especially associations that aren’t fully operating in the health care realm…
Dave Bittner: [00:42:59] Yeah.
Ben Yelin: [00:42:59] …That they are subject to this liability.
Dave Bittner: [00:43:01] I wonder how much of that is willful ignorance.
Ben Yelin: [00:43:04] I’m sure a lot of it is.
Dave Bittner: [00:43:06] (Laughter) I bet Donna has a take on that.
Ben Yelin: [00:43:08] Yeah. And one thing that I think she made very clear, which is also interesting, is there’s a long tail. You know, these covered entities have a lot of contractors, a lot of different relationships. For various reasons, a lot of organizations, as it relates to a single medical record, are going to at one point have access to that record. And it is a joint responsibility, both in an ethical sense but also in a legal sense, to safeguard that data. Another thing that stuck out to me in hearing this conversation is how helpful it is for health care organizations, covered entities and business associations to have clear guidance. And they have clear guidance because there is this federal statute. And even though as she said that statute has been constantly evolving, it’s there. There’s one federal law that deals with this area of information privacy.
Ben Yelin: [00:44:00] You’d only need one Donna to fully understand the consequences of HIPAA for your organization. When it comes to data privacy in general, as she mentions and as we’ve mentioned, we don’t have that yet because there really isn’t a federal statute. And, you know, I think HIPAA actually sets a valuable example of we could have some sort of national clarity, some uniform standards that apply at every health organization across the country. And it’s portable, meaning if you, you know, get trained in HIPAA compliance in Maryland, it’s still applicable in Virginia. And it just makes life easier for people who work in the field who don’t have a lot of time or resources to think about their legal liability.
Dave Bittner: [00:44:39] Yeah.
Ben Yelin: [00:44:39] So that’s something that I think would be a major advantage of federal data privacy legislation.
Dave Bittner: [00:44:43] Yeah. Really interesting insights. So our thanks to Donna Grindle for joining us. Her podcast is the “Help Me With HIPAA” podcast. Do check it out. We want to thank all of you for listening.