University Student Data and COVID-19: What can be shared?

The long-awaited return of students to schools has arrived, with some students attending school remotely, while others are attending classes on-site at academic institutions. We’ve also seen the unintended spread of COVID-19 at these institutions and, as result, many schools have opted to discontinue on-site classes, switching to remote learning. In some instances, the students who have tested positive for COVID-19 have been asked to either return home or quarantine in specified dorms to prevent the spread of the virus to other students, faculty, and staff.

In these instances, there are people or organizations that may need to be notified if students, teachers, or other university staff have tested positive for COVID-19. Contact tracing may also be implemented at the university to help limit the spread of the virus. This raises a complicated question: who can the university notify, what information can they share, and what guidelines should be followed when dealing with COVID-19 at academic institutions? The answer depends on the situation, as a university must assess whether the information is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Personally Identifiable Information under the Family Educational Rights and Privacy Act (FERPA), or both.

HIPAA requires covered entities to protect the patient’s PHI through appropriate safeguards, as well as sets limits and conditions on the uses and disclosures of PHI without patient authorization. One such permissible disclosure is to prevent serious and imminent threat, which the Office for Civil Rights (OCR) has deemed COVID-19 as a serious threat, and therefore some patient information can be shared with the appropriate parties. Similarly, FERPA protects the privacy of student education records and prohibits educational institutions from disclosing PII in education records without written consent from the student (or parental guardian if the student is under 18 unless the underage student is enrolled in a university). “Educational records” include any information directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, a student’s health records fall under FERPA’s definition of “educational records”.1 FERPA does have a list of permitted disclosures, including cases of health and safety emergencies. So how do universities navigate these two policies when it comes to notifying others if a student, teacher, or other staff member has tested positive for COVID-19?

In normal situations, a student’s health record falls under FERPA, and HIPAA does not apply. So, for example, if a student visits the campus medical center operated by the university, that record falls under FERPA guidelines and the institution would need to have a permitted reason to disclose the information. In regards to hospitals affiliated with a university subject to FERPA, a student’s hospital record is not considered “education records” as these facilities provide services without regard to the person’s status at the university, so that record would fall under HIPAA guidelines. But, if that hospital runs a student clinic, then those records would fall under FERPA guidelines. The U.S Department of Health and Human Services together with the U.S. Department of Education issues a Joint Guidance on the Application of FERPA and HIPAA to Student Health Records in December of 2019, further elaborating on how these guidelines apply to records maintained on students. Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

In regards to the current COVID-19 pandemic, The U.S. Department of Education released a series of FAQs that cover questions related to FERPA and COVID-19 and includes a sample FERPA Consent Form: Deparment of Education Student Privacy Policy Office – FERPA & Coronavirus Disease 2019 FAQs – March 2020. The FAQ outlines that if a student has COVID-19, it is sufficient to only report a positive COVID-19 case has been found on campus to other students and/or the parents of other students rather than specifically identifying the student who is infected. For example, a university can email students and parents that there is a confirmed COVID-19 case on campus to help notify them of a potential risk of contraction. If a student’s PII needs to be disclosed, it must meet the health and safety disclosure exemption under FERPA, and can only be disclosed to appropriate parties, i.e. law enforcement, public health, trained medical personnel, and parents (PII cannot be disclosed to the media, as they are not considered an appropriate party under FERPA).

FERPA generally requires educational agencies and institutions to maintain a record of each request for access to and each disclosure of PII from the education records of each student. When making a disclosure under the health or safety emergency provision in FERPA, universities are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the university disclosed the information.

After finalizing the required analysis and assuming the university and/or HIPAA “covered entity” can notify appropriate parties, it may be prudent to also conduct contact tracing to prevent further spread of COVID-19. Both healthcare providers and academic institutions can benefit from the use of contact tracing technology to expedite this process and ensure the protection of student information. If a school intends on implementing contact tracing systems for COVID-19, it is advisable to prepare consent forms for parents and eligible students to allow for the potential sharing of “directory information” (i.e. a student’s name, address, phone number) that is linked to non-directory information (information regarding a students COVID-19 illness).

Protecting the student information is essential, and having an understanding of FERPA is key for universities to ensure the confidentiality, health, and safety of its students during the COVID-19 outbreak. Under these guidelines, the PII in student education records cannot be disclosed without written consent from the student, unless there is a reason for exemption. With the COVID-19 pandemic affecting the nation, the FERPA health and safety emergency exemption comes into play, allowing universities to release a student’s PII to appropriate parties (law enforcement, public health, trained medical personnel, and parents) if disclosure is needed. Having an understanding of the FERPA guidelines and exemptions will help universities protect the health and privacy of their students during this time.

1 Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019


For questions or comments, email [email protected]

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience in developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Protecting Employee and Patient Privacy in the New Normal

Over the last several weeks, most of the United States has been in various phases of “re-opening” due to the COVID-19 pandemic shutdowns. As physical offices open back up, many employers are refreshing their telecommuting policies or initiating their own “return to work” programs.  Because this is such unchartered territory, many organizations have been engaging in dialogue about how to safely bring their employees back to the workplace.  Of course, this reintroduction is occurring under a “new normal” regulatory schema that intends to maintain employee privacy.

The COVID-19 pandemic has challenged the healthcare sector in unimaginable ways and as a consequence, government regulators have been forced to make seemingly instantaneous changes to complex laws (and/or issue additional guidance) in a host of compliance areas including HIPAA, the ADA, and other EEO Laws.

Per HIPAA, employee records are distinct from patient records, even if the information on your employee record is health-related (doctor’s note or other health information pertinent to sick leave, worker’s compensation, etc.).  However, the American with Disabilities Act (ADA) requires all medical information about a particular employee to be stored separately from the employee’s personnel file while also requiring limited access to this confidential information. In any healthcare organization, there are certainly instances when an employee has become a patient, maybe even a COVID-19 patient in this current climate. In such cases, there might be sensitive details related to the employee’s health in both their medical and patient record. HIPAA and ADA protections would apply, but it is important to ensure the organization has policies in place to monitor and protect both silos of information as well as who within the organization needs to have access to or knowledge of the employee’s health situation.

Healthcare Privacy Officers work to ensure patient medical data are protected.  Employees who are patients have unique privacy interests that should not be overlooked when developing any new policies or protocols. Policies on what information should be disclosed to managers and co-workers about an employee’s absence, for example, can ensure the proper care is taken to meet compliance regulations. Similarly, technology is needed to monitor for abuse of access rights, such as when employees snoop on medical records.

One way to ensure the privacy of patient and employee medical records is upheld is to implement a technology solution that can help Privacy Officers carry out these policies. Machine learning solutions like Maize Analytics Patient Privacy Monitoring solution assist Privacy teams in monitoring for inappropriate uses of medical data by learning how to differentiate normal from irregular access patterns.

The Maize Privacy Monitoring solution also includes a contact tracing system that leverages the access log to identify employee exposure and trace back infections. Contact tracing allows healthcare organizations to quickly notify employees who have come into contact with a patient who later tests positive for COVID, or even comes into contact with another employee who later tests positive. Being able to take action early is essential to protect the health and privacy of employees.

Inappropriately accessing medical records is an ongoing issue, even during the current COVID-19 pandemic. With hospitals being at the center of the response, and also a place where the virus is likely to spread, it is important that policies, procedures, and systems are put in place to track inappropriate access to patient records including employees snooping on co-worker’s COVID statuses.

The U.S. Equal Employment Opportunity Commission (EEOC) has published a list of resources on what employers should know about COVID-19, the ADA, the Rehabilitation Act, and other EEO laws that can be useful for Privacy Officers and compliance teams:


For questions or comments, email [email protected]

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Protecting Patient Privacy during COVID-19

With the rapid spread of COVID-19 across the country, and increasing numbers of infected patients at hospitals, compliance and privacy teams are taking extra precautions to protect sensitive patient information. Here are some tips to ensure your organization is protecting patient privacy during the COVID-19 outbreak include:

1. Stay up-to-date on all announcements from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). While rules and regulations under the HIPAA Privacy Rules are still operable and enforceable, the OCR has released several waivers for the disclosure of Personal Health Information (PHI) during the COVID-19 crisis. Some of these include Enforcement Discretion for community-based testing sites, business associates, and telehealth services. These announcements are critical for compliance and privacy teams to ensure they are staying compliant during this time. It is important to continually check the OCR website for any new information, visit the OCR website here.

Maize also has a page of these resources for quick access, find it here.

2. Daily tracking of COVID-19 patients. It is important to monitor accesses for all COVID-19 patients on a daily basis to ensure inappropriate accesses are found and mitigated in a timely manner.

3. Notify all employees to stay vigilant. During this pandemic, there has been an increase in cyberattacks on healthcare organizations. It is important for compliance and privacy teams to inform all employees of these risks, and communicate procedures to report suspicious activities. Scams have included calls from people claiming they work for the OCR, baiting healthcare employees to divulge PHI, phishing, and malware emails

Protecting patient information is always important, but during a pandemic, the significance of compliance and privacy teams within healthcare organizations becomes heightened. We hope these tips will help, and we thank you and all the employees at your organization for the work you have been doing to help during this time.

COVID-19 Resources

Maize Analytics wants to ensure that you have all the resources you need to help stay up-to-date on compliance and privacy news during the COVID-19 pandemic. We thank you and all the healthcare workers in your organization for all the work you do to protect and save lives. 


The Health and Humans Services (HHS) Office for Civil Rights (OCR) COVID-19 page includes announcements, notifications, guidance and more. Visit their page.

For all news releases from the HSS OCR, visit their Official News page.

To join the OCR Privacy Email List for direct updates, register here. has compiled various resources from the HHS and CDC related to COVID-19 for the health IT community and healthcare providers. Visit their resource page.


ICD Codes for COVID-19 

The Centers for Disease Control and Prevention (CDC) has released 2 documents with ICD-10-CM coding guidelines for encounters related to COVID-19.


HHS OCR HIPAA Privacy Bulletin: February 3, 2020
The HHS OCR issued this bulletin for guidance on how patient information can be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation.


COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency
In March 2020 The Secretary of HHS, Alex Azar, exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with certain privacy rules.


Telehealth Enforcement Discretion Announcement
To help medical providers serve patients during COVID-19, the OCR announced it will waive potential penalties for HIPAA violations against providers serving patients using everyday communication technologies.


HHS OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures or Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
HHS OCR announced that it will not impose penalties against covered entities or their business associates for uses and disclosures of protected health information (PHI) by business associates for public health oversight activities during the COVID-19 public health emergency.


COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities
To help protect first responders and prevent further spread of the COVID-19 virus, the OCR released guidance on sharing PHI of individuals infected or exposed to COVID-19 with first responders.


HIPAA Enforcement Discretion Regarding COVID-19 Community Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020 the OCR issued a Notification Enforcement Discretion announcing that they will not impose penalties against covered entities or business associates for violations of HIPAA in the operation of a COVID-19 community-based testing site (CBTS) during this public health emergency.

Maize Analytics Operations Director Publishes Thesis: Security and Privacy of the Integrated Clinical Environment Part I

Maize Analytics’ Operations Director, Jason Williams, MSIT, JD, LLM, CIPP/US, recently published the first article of his three-part thesis series: Security and Privacy of the Integrated Clinical Environment in the Journal of Health Care Finance.

Part I of this thesis series reviews the basic concepts of interoperability and the integrated clinical environment (ICE), the legal and regulatory framework impacting an interoperable ICE, and an overview of the risks associated with the deployment of an interoperable ICE.

Read the full thesis to get an introduction to the basic concepts of the integrated clinical environment and the challenges present. Part II will discuss how privacy and security risks can be addressed through the NIST Privacy Frameworks and privacy engineering concepts.


Read Part I



Engagement with Executive Management: How to Arm Compliance with Specific Data That Informs Decision Making

I was recently listening to a webinar when someone asked a question that I often ask: “how do I get business executives to care as much about compliance as I do?” I expected the answer to be the same one I have heard a hundred times, “you have to make them understand the risks… you have to make sure they understand the potential for personal liability.. you have to explain the government’s expectations… etc.” The answer the speaker gave was more insightful; she said, “you can’t”. She went on to explain that if you, as the compliance officer, are not the individual in your company who cares most about compliance, who is the most excited about your compliance program, then you are probably in the wrong position.

I think rather than asking how to get business executives excited about compliance, we should ask how we can frame our compliance metrics in a way that supports the things that make the business executives really excited about the work compliance does.

Metrics: What’s Important to Executives?

Many of us in the compliance field produce benchmarking data for the board and executive management teams. A small sampling of typical metrics include:

  • Number of hotline calls received (by location, business unit, anonymous/identified, allegation, etc.)
  • Length of time to respond to hotline call
  • Source of hotline awareness
  • Number and type of privacy violations
  • Number of active compliance investigations (by type, location, allegation, etc.)
  • Length of time to close investigation
  • Number of training programs delivered
  • Training completion rates
  • Policy dissemination acknowledgements

While these metrics can give important information about the performance of the compliance program, they don’t really convey meaning to the executive team and its impact on the business. I would argue that it is often difficult to engage executive management in your compliance program because you are not providing them with any information that is framed in a manner that helps them mange their critical strategic and operational priorities. 

So, let’s think about some of those business priorities. In my experience, healthcare executives are focused on quality, revenue, costs, growth, patient, employee and physician satisfaction, and reputational, financial and operational risk. How do you use these priorities to effectively show executives what is going well in your compliance program and what requires their attention? How can your metrics help executives understand their risk position? How do you help executives establish a meaningful risk tolerance level?

To answer these questions, you first need to determine the types of data you will provide. Generally, there are two types of metrics: process metrics and outcome metrics. 


Process Metrics and Outcome Metrics

Process metrics are those data that show program effectiveness (hotline reports received, number responded to timely, trainings completed, policies distributed, etc.). Process metrics should include an indication of how the measure is trending over time and some indication of criticality to help your executives understand those data that require their attention, those that don’t, and those that should be celebrated.

Outcome metrics are those data that show the results of your auditing, monitoring, and investigation programs which address specific risk areas (new physician coding audit, focused claim coding audits, employee access audit, etc.). Outcome measures should be tied to your risk assessment priorities and are often easier to align with strategic priorities.


Gather and Connect Metrics

Your metrics should derive from the seven elements of an effective compliance program , your risk assessment priorities, and specific risk areas. It is important, however, that you don’t try to use data to develop metrics for every aspect of your compliance program. Remember, your executives are getting data from various departments across the organization, and data fatigue is a very real problem. Copious amounts of data will cause your executive’s eyes to glaze over and the messaging you are trying to convey will be lost.

Consider aggregating some of your department data into a few key metrics that can drive a story aligned with the organizational strategy. For example, you may want to take all of your compliance program effectiveness measures and provide a single effectiveness score which can be trended over time. Similarly, you can take specific risk area measures that affect one of the key strategic priorities and aggregate them into a single strategy score (i.e. provide a Readiness for Growth measure that combines your auditing results that affect Growth).

Keep in mind that not every audience requires the same data. Your compliance Committee may need significantly more information about specific reporting elements than other members of your executive management team. Know what actions, decisions, or discussion you want to elicit from the group and tailor your data and metrics specific to the audience charter.

Finally, consider how to connect your information with other information gathered by the organization. For example, if Quality is collecting information specific to patient satisfaction, think about how your data may inform the quality data. Are you seeing more hotline calls coming in from units that are reporting poor patient satisfaction? Are you seeing more data breaches from units that are reporting poor patient satisfaction? When you can integrate your data with other data collected in the organization executives can better understand what the data means on an overall scale.


Engage Executives

To engage your executive management in your compliance program you need to provide them with information that can help inform their strategic priorities. This approach requires a different mindset by compliance officers. Most compliance data provided to the executive team is designed to express potential compliance risk without being tied more closely to the organization’s strategic priorities. However, the data your provide should include both process measures as well as outcome measures and should be tailored to the audience you are presenting the information to. By aligning your compliance metrics with the organization’s strategic priorities, you are seen as a partner in achieving organizational goals rather than just managing goals separate from the rest of your organization.

As your organization’s compliance professional, you have a lot of data available to you. Your challenge is taking all that data and leveraging it into meaningful and actionable information for your executives that aligns with the organization’s strategic, financial, and operational objectives. This engagement will form the partnership you need to minimize risk and grow your program’s visibility.

OIG HHS Healthcare Compliance Program Tips 


Margaret has over twenty years of experience in healthcare compliance, including roles as Cheif Compliance officer for large integrated health systems providing services in multi-state geographies. She is recognized as an industry thought leader and speaker, including addressing the US Senate Finance Committee and other government agencies. Margaret is also the past President and current member of the Board of Directors of the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) supporting and promoting integrity programs nationally and internationally.

4 Tips for Building a Successful Access Monitoring Process

Monitoring is the 5th element of the 7 elements of an effective compliance program. It is a continuous task that compliance and privacy teams must do to ensure any inappropriate accesses are detected and resolved in a timely manner. When discussing how your team should go about monitoring, it is important to remember to design a process in line with your team and healthcare facility’s priorities.

When looking to build a successful monitoring process, 4 things need to be considered:

1. The Subjects

The first thing to determine is the subjects of your monitoring effort. Some questions that your team should consider:

– What/Who are your monitoring? — Layout the parameters of what and who your team will be monitoring. Know what information needs to be monitored (patient accesses, VIPs, newborns, employees who have made previous inappropriate accesses, etc.) and what systems to pull data from.

– What are you looking for? — Map out what is appropriate and inappropriate for your facility. For example, it should be noted whether self-accesses are appropriate or not at your healthcare facility.

2. Methods

As stated by the HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)), covered entities are required to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).  Therefore, your team must have a method in place to monitor ePHI.

Layout the method of your team’s monitoring processes and the tools used to monitor EMR accesses. It’s best for that method to be documented so new team members can be easily on-boarded. Moreover, leverage software systems to help automate the process, so you can focus on suspicious behavior rather than time-consuming false positives. 

3. Frequency

The monitoring frequency is an important parameter of your process because it determines how often accesses are reviewed. Put a formal process in place that notes how often your team will monitor subjects. The frequency may change depending on the subjects and the size of the facility. A schedule that lays out the amount of time and which team members are assigned work can help everyone stay on track to meet reporting requirements. 

4. Reporting

Discuss what information needs to be reported, how those reports will be presented, and who the reports will need to be sent to. It is important to define the specific metrics you present to compliance managers, department heads and executive committees. Remember that different people in organizations like to consume data in different ways, so they might like raw data or aggregate results.

When building this process, ensure all rules and regulations are being adhered to. Over time, this process and schedule may change as your team gets into its flow. If changes need to be made, discuss it with your compliance or privacy team and make the necessary changes over time. Always update your documentation to reflect the updated process (it is helpful to keep versions of the documentation in case your team wants to look back on what changed).

A monitoring process is required per HIPAA, but building out a successful program will also help your team better manage day-to-day tasks and ensure the proper data are being monitored. Going through each of these 4 points will help define and build your monitoring program, so your team can implement it and better protect your patients’ privacy.


Maize Analytics Patient Privacy Monitoring Solution can help streamline this process by reviewing up to 99% of the access log for your compliance team.



OCR Cyber Newsletter January 2017 

NIST Privacy Framework Second Drafting Workshop Highlights

The National Institute of Standards and Technology (NIST) recently released a discussion draft of the Privacy Framework in preparation for the 2nd Drafting Workshop hosted in Atlanta on May 13-14, 2019. 1 The primary attributes of the framework are that it is voluntary, risk and outcome-based, non-prescriptive, written in accessible language, adaptable to diverse sectors, and compatible with all legal regimes, to ensure individuals can confidently utilize innovative technologies. The Maize team was able to attend this two-day workshop, where all stakeholders came together to engage in a facilitated discussion on the advancement of the privacy framework.

Day one of the workshop consisted of a plenary session, starting with a presentation by Peter Swire – Professor of Law and Ethics at the Georgia Tech Scheller College of Business, and Associate Director for Policy of the Georgia Tech Institute for Information Security and Privacy – who discussed the possible expansion of the OSI Stack to describe privacy tasks, followed by three panel discussions.

During the panel discussion, NIST personnel and numerous stakeholders from the private and government sector discussed the drafting process and the primary objectives while creating the Privacy Framework.  Experts from diverse sectors also provided opinions regarding the discussion draft and how the framework could integrate into the global privacy landscape. Additionally, the panel stressed that the privacy framework should ensure all stakeholders involved in enterprise risk management consider the privacy impacts on individuals as the organization develops systems, products, and services.

The discussion draft defines five core functions that organizations use to operationalize a culture that addresses privacy risk.  The five core functions:

  1. Identify – Develop the organizational understanding to manage privacy risk for individuals arising from data processing or their interactions with systems, products, or services.
  2. Protect – Develop and implement appropriate data processing safeguards.
  3. Control – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  4. Inform – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding of how data are processed.
  5. Respond – Develop and implement appropriate activities to take action regarding a privacy breach or event. 2

The five core functions are intended to align with the NIST Cybersecurity Framework where appropriate.  

On day 2, there were five working sessions where small groups provided feedback on all aspects of the Privacy Framework. During these sessions, workshop participants engaged in discussions of each category and subcategory of the core functions. 3 The workshop has provided a great opportunity to learn about the development of the framework and enhance the understanding of the challenges faced by privacy professionals as legal requirements and technology evolve. The NIST anticipates that a final draft of the Privacy Framework will be released by August 2019 with Version 1.0 to follow in October 2019.


1NIST, NIST Privacy Framework: An Enterprise Risk Management Tool (Apr. 30, 2019),

2Id. at 9.

3Id. at 19-26.


Hospitals Spend More After Data Breach, but there is a Fix.

Two recently published reports discuss the high costs healthcare organizations incur due to a data breach. The Department of Health and Human Services estimates that it takes a breached organization a full year to recover. From fines and lawsuits, to having to rebuild the hospital’s image, it is hours of work at a high cost. Both studies however, found that there is a way to mitigate these costs and resolve the issue before it starts – better data security and privacy controls.

In July 2018, the Ponemon Institute published a report analyzing the costs of data breaches that have occurred over the 12 months preceding the report. The Institute discovered three things –  (i) that faster identification of a data breach reduced costs, (ii) hackers and criminal insiders caused the most data breaches (48%), and (iii) the loss of customers had significant financial consequences on the organization.

Moreover, after breaches, organizations can lose customers, which hurts their bottom line. The average cost of organizations losing less than one percent of their customers was $2.8 million; however, the average cost increased to $6 million if the organization lost four percent or more of their customers due to a data breach. The average organizational cost for a data breach in the United States was $7.91 million. The healthcare industry had the highest rate of customer churn (6.7%) associated with a data breach, while the average customer churn rate associated with a breach was 3.4%.

The cost of remediating a breach is also high with the U.S. having the highest notification costs associated with breaches at $740,000. Heavily regulated industries such as healthcare have the highest costs associated with data breaches. The per capita cost for each record breached in the healthcare sector was $408. The healthcare sector also had the highest average time to contain a breach at 100 days and the second highest average time to identify a breach, at 255 days.

Part of the costs of managing a breach include marketing and advertising. In a recent report from the American Journal of Managed Care, it was found that hospitals spend 64% more annually on advertising after a data breach over the following two years. This increase is due to the cost that comes with repairing the hospital’s image and trying to minimize patient loss to competitors.

A common theme from both reports is that the deployment of additional and more advanced security controls can mitigate breach costs. The Ponemon Institute stated that the “deployment of an artificial intelligence platform as part of a security automation solution” influenced the cost of a data breach.  The Institute found that “deployment of an AI platformed saved $8 per compromised record.” Similarly, the American Journal of Managed Care researchers wrote that “advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.”

The Ponemon Institute also found the cost of a data breach is lower, the faster the breach is identified. Companies that identified a breach in less than 100 days saved more than $1 million when compared to companies that took over 100 days. The best way to mitigate the costs of a breach is by having the proper policies and solutions in place to identify a data breach early. Quick identification could result in millions of dollars being saved as a hospital works to rebuild their   business and image following a breach.

Ponemon Institute. (2018, July). 2018 Cost of a Data Breach Study: Global Overview. Retrieved from

Ponemon Institute, 2018, pp. 9-10

Ponemon Institute, 2018, p. 15

Ponemon Institute, 2018 p. 25

Ponemon Institute, 2018 p. 27

  Ponemon Institute, 2018 p. 18

Ponemon Institute, 2018 p. 35

Health IT Security (2019, January), Hospitals Spend 64% More on Advertising After a Data Breach

Ponemon Institute, 2018, p. 22

Ponemon Institute, 2018, p. 9

Updates to NIST Risk Management Framework – The Compliance & Ethics Blog

Jason Williams, JD, MIST, Operations Director at Maize Analytics, recently weighed in on the updates to the NIST Risk Management Framework.

“The National Institute of Standards and Technology (NIST) released revision 2 of NIST SP 800-37, Risk Management Framework for Information Systems and Organizations in December 2018.The revision recognizes the importance of both information security and privacy…” 

Read the complete overview on The Compliance & Ethics Blog.

Managing Healthcare Insider Security Threats

Often when discussing hospital security threats, external breaches are the main focus. However, recent evidence shows those breaches are not the biggest concern to hospitals – they’re more concerned with breaches that can happen within their own halls, by their own staff.

HIMSS Media recently conducted a study on behalf of SailPoint, and the general consensus was that healthcare provider organizations are highly concerned about threats posed by insiders. 43% of healthcare provider respondents said they were more concerned about insider threats to data than external breaches. Given this concern, it would be assumed that these organizations have the technology in place to help them audit internal accesses; but this is currently not the case. Instead, the top tactics to thwart insider threats are training and awareness programs for users. While these are both important, training can only do so much, and it cannot be the complete process for preventing and detecting internal threats.

The best way to combat insider threats is by combining a training and awareness program with technology. With machine learning, user-based analytics, and artificial intelligence programs that monitor ePHI access, hospitals can catch inappropriate access to patient data. Although these programs have recently been on the rise in the healthcare industry, only 48% of healthcare provider organizations use access behavior monitoring and analytics as part of their approach to detecting insider threats. Many compliance officers are still using manual solutions for their internal auditing, which is time-consuming and cannot scale with millions of accesses per day.

There’s always a level of uncertainty when adding a tool to an auditing process. Users wonder if it will actually help, or if it will add more work to their day, making their job more difficult. When exploring potential tools, users should search for a system that is easy to use, ensures smooth integration into their current process, and will allow them to review and approve auditing policies so they can explain what the machine algorithm is doing and define their policy to regulators if needed.

It’s clear that insider threats are a high-priority concern, yet healthcare provider organizations are only beginning to leverage the powerful technology available to monitor these accesses. A proper training and awareness program combined with an auditing system that can detect and report on unauthorized access is vital to all of these organizations.

Contact us for more information on how Maize can help you manage insider threats to your healthcare institution.

Get the full report here