The Difference Between Privacy & Security Regimes

Privacy regimes such as the HIPAA Privacy Rule, GDPR, CCPA, etc., are different in kind, not just degree, from Security regimes such as the HIPAA Security Rule, and PCIDSS (the latter being a private law/contractual regime). Privacy regimes tend to be more legally nuanced with the policies, processes, and tracking mechanisms needed to comply with reach requirements more opaque than those found in security regimes. You still need all three parts of the Compliance Equation® to comply with regimes of both kinds, but these requirements are harder to identify and more organizationally complex in privacy regimes. In short, complying with the Privacy Regime is the quintessential wicked problem. For example, as descriptive as the HIPAA Security Rule may seem (and it is) the requirements contained within it essentially amount to information technology (“IT”) 101. This is “stuff” we know how to do, like building bridges.
That is not to say that complying with Security regimes is trivial, it’s not, just like building a bridge it is not trivial. But these are challenges that have more technical complexity than organization complexity, and the latter is the primary differentiator between and tame problem and a wicked one. For example, when the HITECH Act finally gave the HIPAA Security Rule teeth, there were people within your organization (assuming your organization was of a certain size), and thousands outside your organization (e.g., managed services providers) that understood the requirements and how to implement the controls necessary to comply.
The same cannot be said for Privacy regimes. Why? Because the implementation of the controls will vary from organization to organization. The requirements are not technical in nature. There may be few, if any people, within your organization that knows how to implement the necessary controls, and certainly not thousands outside of it that are ready to step in and help. The FINAL 2021 HIPAA Privacy Rule NPRM (“Rule”) is a case in point. Not only has it given the Rule more legal prominence, in part because of direct focus on consumers (i.e., patients), but it has introduced a potentially massively disruptive set of new requirements that heretofore did not exist (e.g., allowing patients access to your facility at the point of care to inspect their PHI by “to view, take notes, take photographs, and use other personal resources to capture PHI contained in a designated record set.” This poses process problems (i.e., as in the invention of new processes) that providers have never faced.
The changes of the U.S. healthcare industry from one of sickness to wellness have huge disruptive implications for the industry writ large. Never has the consumer been the focus of the industry, as perverse as it may sound that the patient is not the focus of an industry that purports to care for it, because historically, and until this day, the patient is not the one that generally pays the bill. For this industry, the payers are, by and large, health plans, large employers (i.e., functioning as their health plan), and the government. Patients are now at the center of attention because the large health plans have decided that (likely) their margins will improve under a wellness system (same premiums and reduced costs = better margins), and are hiring care managers and care coordinators to collect protected health information (“PHI”) from all of a patient’s providers (e.g., from general practitioners to the myriad of specialists that we visit) to coordinate care and have a more holistic view of the patient’s health, thereby helping the patient achieve a state of wellness.
So, what does this have to do with Privacy? OCR has purposely proposed a massively disruptive set of new requirements in the 2021 Privacy NPRM Rule to support the wider health plan strategy of transforming our healthcare system from sickness to wellness. The proposed Rule provides little if any guidance that helps answer questions for process issues created by the new requirements. Further, over the last few years, OCR has shown a willingness to levy CMPs on both large and small covered entities (“CEs”) for failure to meet PHI access requests, let alone allowing patients to access their facilities to inspect PHI. OCR has just recently announced that they are hiring additional legal staff, sending the not-so-subtle message that they see the need for audits increasing under the proposed Rule. In other words, vis-à-vis the proposed Rule, OCR intends to force CEs to take a more patient-centric approach, something which, if left to their own devices, they may never have done.
To stay current with updates to our free newsletter and webinar notices click here.
Mature Compliance Programs Made Easier!
For more information contact us at:
3Lions Publishing, Inc.