Creating a Culture of Compliance

In a conversation with The Regulatory Review, Penn Medicine Chief Privacy Officer Lauren Steinfeld discusses how health care systems work to comply with regulations on data privacy.

Steinfeld argues that health care faces new legal requirements, industry standards, and rapidly changing technology, and that each new development requires strategies to manage risk and seize opportunity. In the case of new rules, health care providers must assess—and if necessary, change—existing internal policies and procedures, training, systems, and more to comply. New technologies also must be understood, she argues, because some may introduce new vulnerabilities and others may provide new opportunities for protecting patient data.

Steinfeld argues that achieving regulatory compliance in a health care organization requires privacy professionals to consider an organization’s mission, culture, and internal operations. She emphasizes that because data are essential to every part of an organization, new privacy rules are likely to affect almost everyone within it. Steinfeld notes the importance of regulators acting as educators and providing entities the tools they need to protect patient privacy without interfering with proper care.

In addition to her positions as Chief Privacy Officer at Penn Medicine and Associate Vice President for Audit, Compliance and Privacy at the University of Pennsylvania, Steinfeld is an Adjunct Professor at the University of Pennsylvania Carey Law School, where she teaches courses on privacy and compliance. Previously, Steinfeld was the Chief Privacy Officer at the University of Pennsylvania, where she helped create the first institution-wide privacy program in higher education. Steinfeld also served as the Associate Chief Counselor for Privacy at the Office of Management and Budget, where she aided the Clinton Administration in developing the Health Insurance Portability and Accountability Act (HIPAA), and as an Attorney Advisor at the Federal Trade Commission (FTC), where she was involved in some of the agency’s first privacy-related cases.

The Regulatory Review is pleased to share the following interview with Lauren Steinfeld.

The Regulatory Review: What makes a compliance program effective for an organization?

Steinfeld: There is no simple answer to that question because there are so many contributing factors to even define “effectiveness.” A company leader looking to develop a compliance program would likely begin by asking the following questions:

What are an organization’s goals in compliance? To avoid fines and penalties? To avoid negative press attention? To avoid serious safety, operational, or financial weaknesses?

What tolerance for risk does the company have? Does one aim for zero compliance risk, and is there a willingness to make all relevant investments? Does one aim to avoid only serious, systemic problems and is one willing to make select, targeted investments to do so? Is a company somewhere in between?

What is the risk of non-compliance? How hard is it to comply? Does it require training, product changes, workflow changes, new systems, or proactive monitoring? How active are the relevant regulators? The plaintiff’s bar?

Does compliance contribute to other business objectives? Does it require operational changes, deeper analysis, better documentation, governance, or other measures that make the business stronger?  Are there business advantages beyond staying out of trouble?

Only after addressing these questions can one evaluate the effectiveness of a compliance program.

TRR: What mechanisms come into play to achieve compliance?

Steinfeld: I see compliance as the process of taking rules—which may be simple on their face—and applying them to an organization that may be anything but simple. Large, complex, multi-state, global companies often have thousands of requirements that they are aiming to “bake in” to how they do business.

There are so many tools in a toolkit to achieve compliance: training and awareness for the workforce, changing workflows, modifying contract templates and other forms, centralizing compliance in select expert functions, configuring information technology (IT) systems, dedicating audit resources, establishing governance, among others.

The trick—and challenge—is to figure out what levers are most appropriate to pull for compliance. For example, a person responsible for ensuring compliance with fair labor standards laws might want to train and document training of all managers and change time and attendance systems to avoid certain prohibited salaries and hours. A person in charge of compliant pH levels in yogurt manufacturing would not make those choices!

TRR: Are there unique considerations involved when developing internal policies for health care systems?

Steinfeld: In my experience, yes. In health care, one is always aware of the fact that patient care and safety are paramount. These concerns are not just a matter for doctors, nurses, and other health care professionals. Patient care and safety is also a matter for IT professionals building information systems or front desk and other staff helping patients navigate their appointments and procedures.

Patient care is also a matter for compliance professionals. Often in the field of privacy, the law provides some guideposts on how to balance sharing patient data to improve health outcomes with the need to protect patient privacy. But details around how to do so, with whom to share information, how to inform patients about information sharing, what patient choices to provide, whether certain sensitive data should have more restrictions, and how to keep data sharing secure are often not dictated by law and need critical thought and consultation.

TRR: Given the significant rise in cyber incidents and privacy breaches plaguing health systems and hospitals, what approaches should regulators consider to help organizations prevent the loss of sensitive data?

Steinfeld: One thing I came to understand at the FTC in the late 90s is how many roles a regulator can play to advance an issue. A regulatory agency can write rules and enforce them, but it can also educate businesses and consumers, study issues through hearings, help companies form information-sharing partnerships, and more.

The problem you are raising—the rise in cyber incidents and privacy breaches—is one that already has a lot of rules around it. HIPAA alone has a Privacy Rule, a Security Rule, and a Breach Notification Rule, so there is no shortage of requirements in data protection. Although rules can help advance the cause, in health care, there are strong independent mission-based incentives to get these issues right—consider even just the critical importance of detecting and avoiding ransomware attacks given the potential impact on patient care.

Regulators in this space have done more than write rules. They have also helped educate covered entities and patients about measures to protect privacy and security. And they have helped advance information sharing among covered entities surrounding specific threats and opportunities to protect against them. This kind of multi-faceted approach by regulators, recognizing that there is a common goal, is very helpful.

TRR: You have taught multiple courses on regulatory compliance and privacy at Penn Carey Law. What is the most important lesson that you hope students take away from your courses?

Steinfeld: I try to let students know that, of course, law is more than just words on a page. And in the field of compliance, especially, you can really see how laws relate to—and need to be embedded into—so many diverse parts of an organization. Working in this space gives you the chance to learn and participate in areas such as information security, artificial intelligence, instructional technology, contracting and strategic partnerships, government relations, communications, human resources, and much more.

And this notion is even more true when it comes to privacy because virtually every part of every organization relies on data. This basic fact means that privacy staff are regularly brought into discussions and projects around how data can and should be collected, used, shared and protected.

Working in compliance and privacy gives you one of the best vantage points to learn about different fields and the organization you work for. I’ve been in this field for more than 25 years—and it remains action packed!