Privacy Protection Falls to Compliance Experts

In undercover tests conducted by the Department of Homeland Security, fake bombs and weapons made it past airport security systems 95 percent of the time. As Bruce Schneier, chief technology officer of international security firm Resilient Systems, recently suggested to The Economist, that’s because “security screening is an incredibly boring job. It’s very hard for people to remain vigilant and sloppiness is inevitable.” Could the same can be true about health-care compliance?

Alicia robles de la lama General Counsel and Chief Compliance Officer Gastro Health
Alicia Robles de la Lama, General Counsel and Chief Compliance Officer, Gastro Health

“There are so many regulations governing the healthcare industry, it’s hard to stay on top of them all, and there is a lot of room for unintentional human error,” says Alicia Robles de la Lama, general counsel and chief compliance officer of Gastro Health, which offers preventive care, education and treatment of digestive diseases to patients throughout greater Miami.

For instance, it is a Health Insurance Portability and Accountability Act (HIPAA) violation if someone walks away from their desk without logging out, and they have a patient’s electronic medical record or chart up on their screen.

“The employee has to be written up, educated, perhaps assigned to a different area, and, in some cases, they may have to be terminated,” explains de la Lama. “It is often difficult to remember all the rules in the midst of other responsibilities, but it is essential and requires constant vigilance.”

De la Lama says she is up to the challenge, explaining that an indomitable spirit runs in her genes. Her mother came to the United States without her parents as part of “Operation Pedro Pan” (the 1960-62 Catholic Welfare Bureau effort that helped 14,000 children relocate from Cuba to America) and was raised by her aunt and grandmother until her parents could join her. Her father moved to America from Ecuador with his brother to attend high school and college.

A big part of De la Lama’s focus is helping health-care employees appreciate the seriousness of the regulations. Along with the company’s HR department, she holds regular educational sessions and publishes a monthly newsletter to explain the rules and provide updates when rules change. She also plans to start offering contests to engage employees and ensure they understand what is required of them in different situations. “Before enforcing the rules, those of us in administration have to ensure rules are communicated, updated, and understood,” she says.

To stay abreast of constant changes, De la Lama keeps a  certification in health-care compliance by the Health Care Compliance Association (HCCA). In addition to certification, the HCCA provides training, networking, and continuing education units through web conferences and in-person events.

She is also a licensed health-care risk manager. The license is mandated by most states for large health-care clinics and hospitals to help control, monitor, and prevent medical accidents and injuries and was required in her previous job as associate general counsel of a national health-maintenance organization (HMO) that operated multi-specialty health clinics.

“It has continued to be extremely helpful in my current job, since it helps me understand medical risks and patient safety, the proper ways to track and report incidents, and how to deal with provider education and risk management issues,” she says. To make sure others in the organization understand the rules, too, she established a risk committee that meets three times a year. “All the clinicians participate, so we can brainstorm ideas and share perspectives.”

What are the most common risks? “A breach of healthcare data—i.e., a patient’s confidential information,” she says without hesitation. The statistics bear her out: According to the US Department of Health & Human Services Office for Civil Rights, which tracks breaches of protected health information affecting 500 or more individuals, there were 1,282 breaches between September 2009 and August 2015, affecting 143 million individuals.

Gastro Health 

Headquarters: Miami, FL

Founded: 2006

Number of Employees: 350

Summary: Gastro Health offers a wide variety of services to patients with diseases of the digestive system. In addition to 50 board-certified physicians, it employs pathologists, radiologists, anesthesiologists, and nutritionists at 17 locations throughout greater Miami. It handles 100,000 patient visits a year and conducts phase II, III, and IV clinical trials.

“We are entrusted with lots of confidential material and must do everything in our power to ensure it is used only when necessary and seen only by those professionals who need to see it. Unfortunately, no system is 100-percent secure, but we work diligently to make ours as safe as possible,” De la Lama says. To this end, she works closely with Gastro Health’s director of information technology. “We conduct frequent internal audits to detect and repair any vulnerabilities. We also have an audit performed once a year by a third-party firm.”

Gastro Health contracts with All Covered, but there are lots of firms that do this kind of work.

Another area of concern that takes up significant resources and requires continuous training is the Stark law and other self-referral and anti-kickback regulations. “These rules are often misunderstood,” explains De la Lama. “Something as simple as referring a patient to an imaging center that a friend happens to own, even if it’s the best available option, can be a violation. So can accepting a gift, though it may seem trivial. We have to make sure employees are properly trained and that any violations are quickly reported and addressed.”

De la Lama also has to ensure that designated Gastro Health employees get patients to sign the Notice of Privacy Practices (NPP). “Everyone dreads this task,” she says. “The document used to be one page; now it’s three double-sided pages. Most patients have lots of concerns and questions, so I’ve urged our employees to come up with their own ‘Cliff’s Notes’ or list of FAQs to make it more digestible.

“We are entrusted with lots of confidential material and must do everything in our power to ensure it is used only when necessary and seen only by those professionals who need to see it.”

Alicia Robles de la Lama

“After all, we are the gatekeepers of this whole process, which obligates patients to provide us with considerable personal and medical information, requires us to keep it under lock and key, and outlines who we are allowed to share it with. It is our responsibility to remind patients how seriously we take these tasks.”

Carefully and patiently explaining everything to patients can help comfort them and make our job much easier. It gives us the opportunity for a real win-win, which is a rare and wonderful thing, especially in health care.”