The First Step to Protect Against IT Hacking

IT hacking is an ever-growing issue in the healthcare industry, with 2020 being one of the biggest years for cybersecurity attacks to date. COVID-19 played a large role in the uptick in attacks as many threats targeted remote workers and the fears surrounding the ongoing pandemic. The largest known breach of 2020, Blackbaud, was estimated to have affected at least two dozen providers and over 10 million patients.1 This breach was noted to have been caused by unauthorized access to a system that allowed hackers to extract PII. 

A common theme in cyber attacks is attackers obtaining access to systems through an authorized user’s account via email phishing. The access then goes undetected, allowing intruders to extract information for months at a time. If unauthorized access is one main method hackers use to extract information, the first line of defense is to review user access on a consistent basis. 

Organizations with user access review processes in place have better vision on whether an employee’s system access is appropriate or unnecessary, limiting the number of avenues cyberattackers can utilize.  

There are four employee types to be reviewed during user access reviews to ensure all areas of the organization are protected: current employees, new employees, non-employees (e.g. consultants), and terminated employees. 

For current employees, reviewing system access on a regular basis ensures they have access to the systems they need. A key element of user access reviews is ensuring that the minimal amount of access is given to an employee in order to perform their job function. Limiting access to only the necessary systems provides stronger protection to data. 

The idea of minimal necessary access carries over to new employees and the process for provisioning their access. Outlining the necessary systems required for their role in the beginning, and only provisioning access to those systems, is optimal to minimize risk; if more access is needed, it can be given when that time comes. 

Non-employees are people who do some sort of work within an organization but are not employed. These can be researchers, contractors, consultants, freelancers, subcontractors, etc. While they are providing services for an organization, non-employees require access to systems and information, but their access privileges need to be monitored to ensure they only have access to systems for the period of time they are working. 

Lastly, there is a rising issue of terminated employees inappropriately accessing sensitive systems because their access rights were never deprovisioned. Processes should be configured to remove terminated employees’ access across all systems, rather than limiting deprovisioning to the main activity directory system.

In 2020, a former employee of Cisco accessed a protected computer and deleted 456 virtual machines, costing the company $2.4 million dollars to rectify.2 Reviewing all terminated employees’ access to ensure their access has been revoked correctly is an important final step in protecting against cyber attacks. 

Unfortunately, and perhaps surprisingly, correctly revoking all access for an employee remains difficult in modern organizations due to a number of reasons including human error, the large numbers of systems that are deployed within organizations, and a lack of visibility of all accounts within those systems. Moreover, manual processes that require managers to remember to manually request each account is deprovisioned are likely to result in gaps and potential vulnerabilities.

The review of all current and former users’ access rights is an ongoing process as people come and go, get promoted or move departments. To minimize organizational risk, IT teams should conduct quarterly access reviews (at least) so only the necessary system access is granted to employees, and terminated users have had all their access privileges revoked. Moreover, automated processes and tools should be configured to provide managers visibility to all accounts in an organization so they can easily be deprovisioned, without having to remember each step.

IT hackers continue to go after healthcare organizations. Data protection starts with user access reviews to quickly identify and remove any unnecessary access, which will limit the avenues for attackers to exploit. Implementing processes to conduct regular and complete user access reviews can put healthcare organizations in a better position to catch and mitigate risk from cyberattacks. 


Why Telehealth Needs to Tighten Cybersecurity Measures

Some experts warn that the ongoing pandemic is not an unprecedented event. Historically, there have been numerous infectious diseases that have swept the globe. And though it may not be within the next few decades or century, another global pandemic is possible after COVID-19 has been quelled.

The pandemic has put the health care system under tremendous strain. One method to combat this strain was the accelerated uptake of digital technologies to deliver healthcare services on a remote basis, or what is known as telehealth. Telehealth provides physical safety for healthcare providers and patients, given that they don’t have to risk exposure to facilities overloaded with COVID-19 cases. However, with the increased dependence on cyber tools, the healthcare system is at a heightened risk of cyberattacks. Though both telehealth services and cyberattacks were present long before the pandemic, the heightened use of online platforms has magnified the risk factor.

How the pandemic increased cybersecurity risk

The digital landscape is rife with cyber threats as businesses shifted to online transactions. According to a study by the University of Maryland, hackers execute cyber-attacks 2,244 times a day on average 1 — that’s one attempt every 39 seconds. As the healthcare sector continues to expand access to telehealth offerings, research from SecurityScorecard and Dark Owl underscore that telehealth has clearly become a major target for cybercriminals. The researchers found increases in several risk vectors including IP reputation alerts (117%), issues involving patches (65%), and endpoint alerts (56%). There was also a surge in mentions of telehealth apps and credentials on the dark web, potentially indicating that there is currently a high demand for illegally acquired medical data. 2

Karen Schechter, director and assistant professor of Maryville University’s online health administration program 3, says that the problem is the rapid migration to these technologies. Cybersecurity was already an issue for healthcare, and it’s happening again with the accelerated adoption of healthcare technologies this year. Schecther goes on to explain that many healthcare organizations are unable to keep up with digital shifts such as this one. 4 Smaller and individual providers are especially impacted due to several constraints such as lack of financial resources and lack of relevant training among employees. The lack of training, in particular, is challenging to navigate, as many healthcare systems simply do not have the expertise to effectively carry out cybersecurity measures. These gaps result in many cybersecurity holes, which malicious actors attempt to infiltrate.


How data breaches affect organizations and individuals

Data breaches are without-a-doubt a severe risk for healthcare providers and their patients. Organizations that suffer from cybersecurity incidents have to do damage control. This can be in the form of stopping all operations until the system is secured again, tracing the extent of the damage and repairing it, and compensating those who are affected by a security breach. All of these can be very costly. Even the act of notifying affected parties can set healthcare facilities back thousands of dollars. The costs of repairing the organization’s reputation alone is a huge expense. A report by the American Journal of Managed Care indicated that hospitals spend 64% more on advertising the following two years after a data breach. 5

For individuals, the damage could be more extreme and difficult to repair. The illegal selling of medical information has become more lucrative than selling credit card information, based on findings published by HealthTech Magazine. 6 Medical records can sell up to $1,000 online and malicious actors can do so much more with highly detailed information. For example, they can extort money from their targets who don’t want to reveal medical conditions, such as sexually transmitted diseases. Criminals also use personal information to obtain loans and commit other fraudulent activities, which can damage a person’s life for many years to come. 

Given these broad concerns, cybersecurity risks must be taken even more seriously, especially now that telehealth is becoming more normalized. Healthcare providers, specifically those that offer remote services, must heavily invest in cybersecurity measures to protect their data as well as their patients’.

Post solely for the use of By Jewelyn Burke


University Student Data and COVID-19: What can be shared?

The long-awaited return of students to schools has arrived, with some students attending school remotely, while others are attending classes on-site at academic institutions. We’ve also seen the unintended spread of COVID-19 at these institutions and, as result, many schools have opted to discontinue on-site classes, switching to remote learning. In some instances, the students who have tested positive for COVID-19 have been asked to either return home or quarantine in specified dorms to prevent the spread of the virus to other students, faculty, and staff.

In these instances, there are people or organizations that may need to be notified if students, teachers, or other university staff have tested positive for COVID-19. Contact tracing may also be implemented at the university to help limit the spread of the virus. This raises a complicated question: who can the university notify, what information can they share, and what guidelines should be followed when dealing with COVID-19 at academic institutions? The answer depends on the situation, as a university must assess whether the information is Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Personally Identifiable Information under the Family Educational Rights and Privacy Act (FERPA), or both.

HIPAA requires covered entities to protect the patient’s PHI through appropriate safeguards, as well as sets limits and conditions on the uses and disclosures of PHI without patient authorization. One such permissible disclosure is to prevent serious and imminent threat, which the Office for Civil Rights (OCR) has deemed COVID-19 as a serious threat, and therefore some patient information can be shared with the appropriate parties. Similarly, FERPA protects the privacy of student education records and prohibits educational institutions from disclosing PII in education records without written consent from the student (or parental guardian if the student is under 18 unless the underage student is enrolled in a university). “Educational records” include any information directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution, a student’s health records fall under FERPA’s definition of “educational records”.1 FERPA does have a list of permitted disclosures, including cases of health and safety emergencies. So how do universities navigate these two policies when it comes to notifying others if a student, teacher, or other staff member has tested positive for COVID-19?

In normal situations, a student’s health record falls under FERPA, and HIPAA does not apply. So, for example, if a student visits the campus medical center operated by the university, that record falls under FERPA guidelines and the institution would need to have a permitted reason to disclose the information. In regards to hospitals affiliated with a university subject to FERPA, a student’s hospital record is not considered “education records” as these facilities provide services without regard to the person’s status at the university, so that record would fall under HIPAA guidelines. But, if that hospital runs a student clinic, then those records would fall under FERPA guidelines. The U.S Department of Health and Human Services together with the U.S. Department of Education issues a Joint Guidance on the Application of FERPA and HIPAA to Student Health Records in December of 2019, further elaborating on how these guidelines apply to records maintained on students. Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019

In regards to the current COVID-19 pandemic, The U.S. Department of Education released a series of FAQs that cover questions related to FERPA and COVID-19 and includes a sample FERPA Consent Form: Deparment of Education Student Privacy Policy Office – FERPA & Coronavirus Disease 2019 FAQs – March 2020. The FAQ outlines that if a student has COVID-19, it is sufficient to only report a positive COVID-19 case has been found on campus to other students and/or the parents of other students rather than specifically identifying the student who is infected. For example, a university can email students and parents that there is a confirmed COVID-19 case on campus to help notify them of a potential risk of contraction. If a student’s PII needs to be disclosed, it must meet the health and safety disclosure exemption under FERPA, and can only be disclosed to appropriate parties, i.e. law enforcement, public health, trained medical personnel, and parents (PII cannot be disclosed to the media, as they are not considered an appropriate party under FERPA).

FERPA generally requires educational agencies and institutions to maintain a record of each request for access to and each disclosure of PII from the education records of each student. When making a disclosure under the health or safety emergency provision in FERPA, universities are specifically required to record the articulable and significant threat to the health or safety of a student or other individual that formed the basis for the disclosure and the parties to whom the university disclosed the information.

After finalizing the required analysis and assuming the university and/or HIPAA “covered entity” can notify appropriate parties, it may be prudent to also conduct contact tracing to prevent further spread of COVID-19. Both healthcare providers and academic institutions can benefit from the use of contact tracing technology to expedite this process and ensure the protection of student information. If a school intends on implementing contact tracing systems for COVID-19, it is advisable to prepare consent forms for parents and eligible students to allow for the potential sharing of “directory information” (i.e. a student’s name, address, phone number) that is linked to non-directory information (information regarding a students COVID-19 illness).

Protecting the student information is essential, and having an understanding of FERPA is key for universities to ensure the confidentiality, health, and safety of its students during the COVID-19 outbreak. Under these guidelines, the PII in student education records cannot be disclosed without written consent from the student, unless there is a reason for exemption. With the COVID-19 pandemic affecting the nation, the FERPA health and safety emergency exemption comes into play, allowing universities to release a student’s PII to appropriate parties (law enforcement, public health, trained medical personnel, and parents) if disclosure is needed. Having an understanding of the FERPA guidelines and exemptions will help universities protect the health and privacy of their students during this time.

1 Joint Guidance on the Application of FERPA and HIPAA To Student Health Records – 2019


For questions or comments, email [email protected]

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience in developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Protecting Employee and Patient Privacy in the New Normal

Over the last several weeks, most of the United States has been in various phases of “re-opening” due to the COVID-19 pandemic shutdowns. As physical offices open back up, many employers are refreshing their telecommuting policies or initiating their own “return to work” programs.  Because this is such unchartered territory, many organizations have been engaging in dialogue about how to safely bring their employees back to the workplace.  Of course, this reintroduction is occurring under a “new normal” regulatory schema that intends to maintain employee privacy.

The COVID-19 pandemic has challenged the healthcare sector in unimaginable ways and as a consequence, government regulators have been forced to make seemingly instantaneous changes to complex laws (and/or issue additional guidance) in a host of compliance areas including HIPAA, the ADA, and other EEO Laws.

Per HIPAA, employee records are distinct from patient records, even if the information on your employee record is health-related (doctor’s note or other health information pertinent to sick leave, worker’s compensation, etc.).  However, the American with Disabilities Act (ADA) requires all medical information about a particular employee to be stored separately from the employee’s personnel file while also requiring limited access to this confidential information. In any healthcare organization, there are certainly instances when an employee has become a patient, maybe even a COVID-19 patient in this current climate. In such cases, there might be sensitive details related to the employee’s health in both their medical and patient record. HIPAA and ADA protections would apply, but it is important to ensure the organization has policies in place to monitor and protect both silos of information as well as who within the organization needs to have access to or knowledge of the employee’s health situation.

Healthcare Privacy Officers work to ensure patient medical data are protected.  Employees who are patients have unique privacy interests that should not be overlooked when developing any new policies or protocols. Policies on what information should be disclosed to managers and co-workers about an employee’s absence, for example, can ensure the proper care is taken to meet compliance regulations. Similarly, technology is needed to monitor for abuse of access rights, such as when employees snoop on medical records.

One way to ensure the privacy of patient and employee medical records is upheld is to implement a technology solution that can help Privacy Officers carry out these policies. Machine learning solutions like Maize Analytics Patient Privacy Monitoring solution assist Privacy teams in monitoring for inappropriate uses of medical data by learning how to differentiate normal from irregular access patterns.

The Maize Privacy Monitoring solution also includes a contact tracing system that leverages the access log to identify employee exposure and trace back infections. Contact tracing allows healthcare organizations to quickly notify employees who have come into contact with a patient who later tests positive for COVID, or even comes into contact with another employee who later tests positive. Being able to take action early is essential to protect the health and privacy of employees.

Inappropriately accessing medical records is an ongoing issue, even during the current COVID-19 pandemic. With hospitals being at the center of the response, and also a place where the virus is likely to spread, it is important that policies, procedures, and systems are put in place to track inappropriate access to patient records including employees snooping on co-worker’s COVID statuses.

The U.S. Equal Employment Opportunity Commission (EEOC) has published a list of resources on what employers should know about COVID-19, the ADA, the Rehabilitation Act, and other EEO laws that can be useful for Privacy Officers and compliance teams:


For questions or comments, email [email protected]

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, JD, CIPP, CHC, CHRP

Elizabeth B. Ruszczyk, Esq., most recently served the Vice President and Chief Compliance and Privacy Officer at UF Health. UF Health is a private, not-for-profit healthcare system affiliated with the University of Florida and its Health Science Center campuses in Gainesville and Jacksonville. From 2016 – 2019, Ms. Ruszczyk also simultaneously served as the Executive Associate Vice President, Chief Compliance and Privacy Officer for the University of Florida. Ms. Ruszczyk possesses nearly 20 years of extensive experience developing and implementing all aspects of privacy and compliance programs for health systems and academic research institutions. Prior to her tenure at UF Health, Ms. Ruszczyk worked as a commercial litigation associate with Smith, Gambrell & Russell, LLP., in the firm’s Jacksonville, Florida office. Currently, Ms. Ruszczyk provides specialty consulting services in the fields of healthcare privacy and compliance.

Protecting Patient Privacy during COVID-19

With the rapid spread of COVID-19 across the country, and increasing numbers of infected patients at hospitals, compliance and privacy teams are taking extra precautions to protect sensitive patient information. Here are some tips to ensure your organization is protecting patient privacy during the COVID-19 outbreak include:

1. Stay up-to-date on all announcements from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). While rules and regulations under the HIPAA Privacy Rules are still operable and enforceable, the OCR has released several waivers for the disclosure of Personal Health Information (PHI) during the COVID-19 crisis. Some of these include Enforcement Discretion for community-based testing sites, business associates, and telehealth services. These announcements are critical for compliance and privacy teams to ensure they are staying compliant during this time. It is important to continually check the OCR website for any new information, visit the OCR website here.

Maize also has a page of these resources for quick access, find it here.

2. Daily tracking of COVID-19 patients. It is important to monitor accesses for all COVID-19 patients on a daily basis to ensure inappropriate accesses are found and mitigated in a timely manner.

3. Notify all employees to stay vigilant. During this pandemic, there has been an increase in cyberattacks on healthcare organizations. It is important for compliance and privacy teams to inform all employees of these risks, and communicate procedures to report suspicious activities. Scams have included calls from people claiming they work for the OCR, baiting healthcare employees to divulge PHI, phishing, and malware emails

Protecting patient information is always important, but during a pandemic, the significance of compliance and privacy teams within healthcare organizations becomes heightened. We hope these tips will help, and we thank you and all the employees at your organization for the work you have been doing to help during this time.

COVID-19 Resources

Maize Analytics wants to ensure that you have all the resources you need to help stay up-to-date on compliance and privacy news during the COVID-19 pandemic. We thank you and all the healthcare workers in your organization for all the work you do to protect and save lives. 


The Health and Humans Services (HHS) Office for Civil Rights (OCR) COVID-19 page includes announcements, notifications, guidance and more. Visit their page.

For all news releases from the HSS OCR, visit their Official News page.

To join the OCR Privacy Email List for direct updates, register here. has compiled various resources from the HHS and CDC related to COVID-19 for the health IT community and healthcare providers. Visit their resource page.


ICD Codes for COVID-19 

The Centers for Disease Control and Prevention (CDC) has released 2 documents with ICD-10-CM coding guidelines for encounters related to COVID-19.


HHS OCR HIPAA Privacy Bulletin: February 3, 2020
The HHS OCR issued this bulletin for guidance on how patient information can be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation.


COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency
In March 2020 The Secretary of HHS, Alex Azar, exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with certain privacy rules.


Telehealth Enforcement Discretion Announcement
To help medical providers serve patients during COVID-19, the OCR announced it will waive potential penalties for HIPAA violations against providers serving patients using everyday communication technologies.


HHS OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures or Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
HHS OCR announced that it will not impose penalties against covered entities or their business associates for uses and disclosures of protected health information (PHI) by business associates for public health oversight activities during the COVID-19 public health emergency.


COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities
To help protect first responders and prevent further spread of the COVID-19 virus, the OCR released guidance on sharing PHI of individuals infected or exposed to COVID-19 with first responders.


HIPAA Enforcement Discretion Regarding COVID-19 Community Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020 the OCR issued a Notification Enforcement Discretion announcing that they will not impose penalties against covered entities or business associates for violations of HIPAA in the operation of a COVID-19 community-based testing site (CBTS) during this public health emergency.

Maize Analytics Operations Director Published Part II of Thesis: Security and Privacy of the Integrated Clinical Environment

Maize Analytics’ Operations Director, Jason Williams, MSIT, JD, LLM, CIPP/US, recently published the second article of his three-part thesis series: Security and Privacy of the Integrated Clinical Environment in the Journal of Health Care Finance.

Following Part I of his thesis series, which was a discussion of interoperability and the integrated clinical environment (ICE), Part II reviews the concept of privacy engineering and the various frameworks and methodologies from the National Institute of Standards and Technology (NIST).

Read the full thesis to get an overview of privacy engineering, and how the NIST tools can be utilized to manage privacy and security in an interoperable, ICE throughout an enterprise. Stay tuned for Part III to see how to integrate these frameworks and methodologies into an enterprise architecture to ensure an organization deploying an interoperable ICE is compliant with their obligation to protect the privacy and security of a patient’s health information.1


Read Part II

1. Security and Privacy of The Integrated Clinical Environment Part II at 16

Read Part I

Maize Analytics Operations Director Publishes Thesis: Security and Privacy of the Integrated Clinical Environment Part I

Maize Analytics’ Operations Director, Jason Williams, MSIT, JD, LLM, CIPP/US, recently published the first article of his three-part thesis series: Security and Privacy of the Integrated Clinical Environment in the Journal of Health Care Finance.

Part I of this thesis series reviews the basic concepts of interoperability and the integrated clinical environment (ICE), the legal and regulatory framework impacting an interoperable ICE, and an overview of the risks associated with the deployment of an interoperable ICE.

Read the full thesis to get an introduction to the basic concepts of the integrated clinical environment and the challenges present. Part II will discuss how privacy and security risks can be addressed through the NIST Privacy Frameworks and privacy engineering concepts.


Read Part I



What’s ahead for AI and Machine Learning in healthcare?

In 2019, we saw increased interest and adoption of machine learning (ML) and artificial intelligence (AI) technology in healthcare. Organizations have been piloting solutions that range from helping diagnose patients, to ensuring the privacy of their data. While the industry is beginning to see some benefits from these tools, many end-users are starting to ask important questions like: how does the tool work, or where are my data stored?

Similarly, in the last year, we have also seen organizations increasingly send and store their data at third-party vendors instead of on-premises. The combination of these two trends has raised concerns about data protection and the vendor’s appropriate use of data.

These conversations are driving the three biggest topics in 2020 for machine learning and AI in healthcare: accountability, interpretability, and transparency.

Accountability of machine learning systems allows organizations to trust that the system is doing its designed-for task, track what data sets were used to train machine learning algorithms, and identify data quality issues. In the hospital setting, these ML systems direct care decisions, so effort must be taken to detect bias or other data issues.

Interpretability in machine learning ensures that organizations can understand why a system makes a decision. For example, if a system predicts patient discharge, it is important to understand which features led to its decision. Interpretability is essential to build trust in machine learning systems, especially in the complex environments of clinical care.

Transparency of data usage in machine learning systems allows organizations to know where their data are stored, how their data are used in machine learning models, and if their data are combined with other data sets. Currently, once data are sent to a third-party vendor, healthcare organizations do not have visibility into what is done with the data. Better transparency ensures that healthcare data is protected and used only as intended.

The adoption of machine learning solutions in healthcare will continue in 2020, along with new policy guidelines for AI/ML in healthcare. In April 2019, the FDA released a discussion paper titled Proposed Regulatory Framework for Modification to Artificial Intelligence/Machine Learning (AI/ML) – Based Software as Medical Device (SAMD)1, which identifies the tension between AI/ML software and regulatory agencies. AI/ML software continually learns, evolves, and improves at a rapid pace while regulatory agencies seek to control the environment and understand the implications of the technology before the technology impacts patient care.

The FDA’s discussion paper indicates a shift in the regulatory framework is coming. Accountability, interpretability, and transparency will be at the focal point of the discussion to ensure that these technologies can be utilized to improve patient care, while understanding the risks to healthcare organizations and patient data.


Dept. of Health & Human Servs., U.S. Food & Drug Admin., Proposed Regulatory Framework for Modification to Artificial Intelligence/Machine Learning (AI/ML) – Based Software as Medical Device (SaMD), Discussion Paper and Request for Feedback (Apr. 2019),

Engagement with Executive Management: How to Arm Compliance with Specific Data That Informs Decision Making

I was recently listening to a webinar when someone asked a question that I often ask: “how do I get business executives to care as much about compliance as I do?” I expected the answer to be the same one I have heard a hundred times, “you have to make them understand the risks… you have to make sure they understand the potential for personal liability.. you have to explain the government’s expectations… etc.” The answer the speaker gave was more insightful; she said, “you can’t”. She went on to explain that if you, as the compliance officer, are not the individual in your company who cares most about compliance, who is the most excited about your compliance program, then you are probably in the wrong position.

I think rather than asking how to get business executives excited about compliance, we should ask how we can frame our compliance metrics in a way that supports the things that make the business executives really excited about the work compliance does.

Metrics: What’s Important to Executives?

Many of us in the compliance field produce benchmarking data for the board and executive management teams. A small sampling of typical metrics include:

  • Number of hotline calls received (by location, business unit, anonymous/identified, allegation, etc.)
  • Length of time to respond to hotline call
  • Source of hotline awareness
  • Number and type of privacy violations
  • Number of active compliance investigations (by type, location, allegation, etc.)
  • Length of time to close investigation
  • Number of training programs delivered
  • Training completion rates
  • Policy dissemination acknowledgements

While these metrics can give important information about the performance of the compliance program, they don’t really convey meaning to the executive team and its impact on the business. I would argue that it is often difficult to engage executive management in your compliance program because you are not providing them with any information that is framed in a manner that helps them mange their critical strategic and operational priorities. 

So, let’s think about some of those business priorities. In my experience, healthcare executives are focused on quality, revenue, costs, growth, patient, employee and physician satisfaction, and reputational, financial and operational risk. How do you use these priorities to effectively show executives what is going well in your compliance program and what requires their attention? How can your metrics help executives understand their risk position? How do you help executives establish a meaningful risk tolerance level?

To answer these questions, you first need to determine the types of data you will provide. Generally, there are two types of metrics: process metrics and outcome metrics. 


Process Metrics and Outcome Metrics

Process metrics are those data that show program effectiveness (hotline reports received, number responded to timely, trainings completed, policies distributed, etc.). Process metrics should include an indication of how the measure is trending over time and some indication of criticality to help your executives understand those data that require their attention, those that don’t, and those that should be celebrated.

Outcome metrics are those data that show the results of your auditing, monitoring, and investigation programs which address specific risk areas (new physician coding audit, focused claim coding audits, employee access audit, etc.). Outcome measures should be tied to your risk assessment priorities and are often easier to align with strategic priorities.


Gather and Connect Metrics

Your metrics should derive from the seven elements of an effective compliance program , your risk assessment priorities, and specific risk areas. It is important, however, that you don’t try to use data to develop metrics for every aspect of your compliance program. Remember, your executives are getting data from various departments across the organization, and data fatigue is a very real problem. Copious amounts of data will cause your executive’s eyes to glaze over and the messaging you are trying to convey will be lost.

Consider aggregating some of your department data into a few key metrics that can drive a story aligned with the organizational strategy. For example, you may want to take all of your compliance program effectiveness measures and provide a single effectiveness score which can be trended over time. Similarly, you can take specific risk area measures that affect one of the key strategic priorities and aggregate them into a single strategy score (i.e. provide a Readiness for Growth measure that combines your auditing results that affect Growth).

Keep in mind that not every audience requires the same data. Your compliance Committee may need significantly more information about specific reporting elements than other members of your executive management team. Know what actions, decisions, or discussion you want to elicit from the group and tailor your data and metrics specific to the audience charter.

Finally, consider how to connect your information with other information gathered by the organization. For example, if Quality is collecting information specific to patient satisfaction, think about how your data may inform the quality data. Are you seeing more hotline calls coming in from units that are reporting poor patient satisfaction? Are you seeing more data breaches from units that are reporting poor patient satisfaction? When you can integrate your data with other data collected in the organization executives can better understand what the data means on an overall scale.


Engage Executives

To engage your executive management in your compliance program you need to provide them with information that can help inform their strategic priorities. This approach requires a different mindset by compliance officers. Most compliance data provided to the executive team is designed to express potential compliance risk without being tied more closely to the organization’s strategic priorities. However, the data your provide should include both process measures as well as outcome measures and should be tailored to the audience you are presenting the information to. By aligning your compliance metrics with the organization’s strategic priorities, you are seen as a partner in achieving organizational goals rather than just managing goals separate from the rest of your organization.

As your organization’s compliance professional, you have a lot of data available to you. Your challenge is taking all that data and leveraging it into meaningful and actionable information for your executives that aligns with the organization’s strategic, financial, and operational objectives. This engagement will form the partnership you need to minimize risk and grow your program’s visibility.

OIG HHS Healthcare Compliance Program Tips 


Margaret has over twenty years of experience in healthcare compliance, including roles as Cheif Compliance officer for large integrated health systems providing services in multi-state geographies. She is recognized as an industry thought leader and speaker, including addressing the US Senate Finance Committee and other government agencies. Margaret is also the past President and current member of the Board of Directors of the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA) supporting and promoting integrity programs nationally and internationally.

Preliminary Draft of NIST Privacy Framework Released

“Like building a house, where homeowners get to choose room layouts but need to trust that the foundation is well-engineered, privacy protection should allow for individual choices, as long as long as effective privacy risk mitigations are already engineered into products and services.” 1

The National Institute of Standards and Technology just announced the release of the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. In the draft, NIST discusses the current challenges facing organizations when it comes to privacy, due to its broad nature. It is difficult to build directions to achieving privacy because it is not a one-size-fits-all approach. The privacy framework ‘s goal is to be a resource for organizations that communicates privacy in a flexible manner, that can be used by different parts of an organization’s workforce.

One issue relating to the broad nature of achieving privacy that was discussed during development was how to describe the relationship between privacy and cybersecurity and how to address their overlap. There were two options presented for the Privacy Framework Core: one that integrated the NIST Cybersecurity Framework and one that did not. In the end, NIST integrated the Privacy Framework with the Cybersecurity Framework and identified where the two are different, identical, or aligned but with adapted text.

The Privacy Framework is divided into three parts: The Core, Profiles, and Implementation Tiers. The Core is divided into five functions in the Privacy Framework: Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P along with their respective categories and subcategories. Next, Profiles are where organizations select and prioritize specific activities and outcomes from the Core to help them manage privacy risk based on their specific needs. This is where the customization comes into play and allows organizations to be flexible and choose paths that fit their needs best. Finally, implementation tiers provide a point of reference for the organization’s decision making. Organizations are encouraged to progress to Tier 2; however, an organization’s privacy risks may require it to achieve Tier 3 or Tier 4, or some part of the highest two tiers.

The framework is designed to enable diverse organizations to implement a new privacy program or improve upon an existing one. It keeps technological innovation and vendor management in mind and provides a way to strengthen accountability at all levels of an organization. This draft is a major step in creating a resource all organizations can use to build a better privacy program.

NIST has released the framework draft for public feedback that can be submitted to [email protected] through October 24, 2019.



1 U.S. Dep’t. Of Commerce, Nat’l Inst. Of Standards & Tech., NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Preliminary Draft 3 (Sep. 6, 2019).

4 Tips for Building a Successful Access Monitoring Process

Monitoring is the 5th element of the 7 elements of an effective compliance program. It is a continuous task that compliance and privacy teams must do to ensure any inappropriate accesses are detected and resolved in a timely manner. When discussing how your team should go about monitoring, it is important to remember to design a process in line with your team and healthcare facility’s priorities.

When looking to build a successful monitoring process, 4 things need to be considered:

1. The Subjects

The first thing to determine is the subjects of your monitoring effort. Some questions that your team should consider:

– What/Who are your monitoring? — Layout the parameters of what and who your team will be monitoring. Know what information needs to be monitored (patient accesses, VIPs, newborns, employees who have made previous inappropriate accesses, etc.) and what systems to pull data from.

– What are you looking for? — Map out what is appropriate and inappropriate for your facility. For example, it should be noted whether self-accesses are appropriate or not at your healthcare facility.

2. Methods

As stated by the HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)), covered entities are required to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).  Therefore, your team must have a method in place to monitor ePHI.

Layout the method of your team’s monitoring processes and the tools used to monitor EMR accesses. It’s best for that method to be documented so new team members can be easily on-boarded. Moreover, leverage software systems to help automate the process, so you can focus on suspicious behavior rather than time-consuming false positives. 

3. Frequency

The monitoring frequency is an important parameter of your process because it determines how often accesses are reviewed. Put a formal process in place that notes how often your team will monitor subjects. The frequency may change depending on the subjects and the size of the facility. A schedule that lays out the amount of time and which team members are assigned work can help everyone stay on track to meet reporting requirements. 

4. Reporting

Discuss what information needs to be reported, how those reports will be presented, and who the reports will need to be sent to. It is important to define the specific metrics you present to compliance managers, department heads and executive committees. Remember that different people in organizations like to consume data in different ways, so they might like raw data or aggregate results.

When building this process, ensure all rules and regulations are being adhered to. Over time, this process and schedule may change as your team gets into its flow. If changes need to be made, discuss it with your compliance or privacy team and make the necessary changes over time. Always update your documentation to reflect the updated process (it is helpful to keep versions of the documentation in case your team wants to look back on what changed).

A monitoring process is required per HIPAA, but building out a successful program will also help your team better manage day-to-day tasks and ensure the proper data are being monitored. Going through each of these 4 points will help define and build your monitoring program, so your team can implement it and better protect your patients’ privacy.


Maize Analytics Patient Privacy Monitoring Solution can help streamline this process by reviewing up to 99% of the access log for your compliance team.



OCR Cyber Newsletter January 2017