Working in Harmony to Create a Culture of Compliance

By Brian Stone, SVP Customer Success, FairWarning & Elizabeth Champion, VP and Chief Compliance Officer, FMOLHS

From ensuring an organization meets regulatory requirements to preserving personal health information (PHI), healthcare compliance teams face a myriad of challenges to safeguard patient data. Oftentimes privacy, compliance, and security departments are siloed across healthcare organizations, so it can be difficult for them to gain the trust and level of collaboration needed to protect health systems–and their patients’ sensitive data–from the significant threat of a data breach.

At Franciscan Missionaries of Our Lady Health System (FMOLHS), a not-for-profit, Catholic health system serving the needs of patients in Louisiana and Mississippi, the Compliance and Security teams came together to nurture a strong, cross-departmental initiative to protect their organization from compliance risks such as inappropriate patient record access and cybersecurity threats. 

As the result of a risk assessment several years prior, the health system’s Compliance and Security teams were able to form a bond to maintain the safety of patient and user data. Collaboration was the key to creating a culture where everyone knows to do the right thing, whether they are being monitored or not, which was then paired with technology to monitor for patient privacy.

By breaking down silos and promoting education, any healthcare organization can reduce the risk of a data breach and nurture a culture of compliance using FMOLHS’ own journey as a blueprint.

Journey to Collaboration

At FMOLHS the initiative between Compliance and IT Security departments first began when the health system was tasked with responding to an Office for Civil Rights (OCR) data request. Given the significant information needed, the healthcare organization found itself working back-and-forth to problem solve. Security provided one type of report, but it often turned out to not be what the Compliance team thought the OCR expected, causing the teams to repeatedly meet with one another to ask questions and seek guidance until they both had a full understanding of what they needed to present.

Across healthcare organizations, it’s not unusual for privacy and security departments to conduct investigations independently of one another. Ultimately, what happens from both sides is that the IT Security department needs to change some of their processes to fit with the needs of privacy or compliance, but security often does not have context behind the request. Privacy departments may want to keep incidents that they are handling private, but armed with knowledge and experience, IT Security teams can help prevent those incidents from repeating. 

Even at FMOLHS, Compliance and Security struggled to share clear details of incidents they were investigating before the two departments began to collaborate. But once they began truly working together, they built trust by sharing those details with one another so that both teams could gain the full picture.

Building a Culture of Compliance

Once Security and Compliance teamed up, the departments were able to build a culture of trust and compliance where one department discovers a violation and, by working with the other departments, can assemble a full understanding of not only what happened, but also how it happened. With that collaborative culture also comes the confidence and willingness to admit when you don’t know every detail as to why a violation took place. This enables a department to approach another that can help perform the research needed to determine exactly what transpired while providing the information necessary to present to internal and external sources as needed.

To extend the system-wide initiative beyond departments just talking to each other, FMOLHS also enacted several programs to make its culture of compliance robust:

  • Equipped the entire organization with the training necessary to safeguard patient privacy beyond Compliance and Security departments by providing integrated  education throughout all facilities
  • Developed an organization-wide education program called “Safeguarding our Ministry” that flows out to the entire health system–whether it’s IT, Security, Compliance, Privacy, or Risk Management communicating the message, they’re all able to conduct training under a single umbrella
  • Provided resources such as a SharePoint site that acts as a single source for all team members and branded posters that feature a unified, streamlined message. Creating a single program identity enabled the health system to provide an integrated approach to training that connected everyone with why these practices and protections deserve adherence
  • IT Security educated users on not sharing passwords, locking screens, and reporting on an “if you see something, say something” basis

By educating and building relationships between teams, FMOLHS nurtured a culture of compliance where users self-report on business-related activity they feel may trigger a privacy alert while being aware that their actions are being logged via a patient privacy application and that user activity is being monitored.

Tips for Ensuring Collaboration Lives On

To help ensure collaboration between departments continued, FMOLHS identified several best practices, including: 

  • Compliance, privacy, and security departments should meet once a week – if not more – to discuss both activity within the organization as well as general topics
  • Hold quarterly meetings with leadership across privacy, compliance, risk management, and IT security departments to assess and reassess goals
  • Keep the organization’s Board of Directors and Executive teams informed, as it is key to the success of any Compliance or Security program–when leadership knows the challenges each team faces, along with the team’s  critical needs, they are eager to provide support

By translating the needs of Compliance, Privacy, and IT Security departments, FMOLHS created a tight-knit bond that enables teams to safeguard patient data while fostering a culture of compliance. As a result of the strong collaboration and unified education across the entire organization, FMOLHS practitioners, employees, and business associates understand the importance of maintaining data security and the trust of patients they serve.

About the authors

Elizabeth Champion: Elizabeth serves as Vice President, Chief Compliance Officer for the Franciscan Missionaries of Our Lady Health System. Elizabeth provides oversight and direction for FMOLHS’ Compliance and Privacy program by working with leadership to ensure FMOLHS meets state and federal requirements for its entities located in Louisiana and Mississippi.

Elizabeth began her career in Healthcare Administration in 1994 serving in Health Information Management Leadership roles. During her 20 years with FMOLHS, Elizabeth was instrumental in negotiating and settling a Corporate Integrity Agreement (CIA) with the Office of Inspector General (OIG). She maintains a focus on excellence in strategic initiatives such as leading compliance and privacy integration in four hospital acquisitions. Elizabeth and her team have developed a collaborative approach to monitoring compliance with HIPAA privacy and security regulations by engaging in Information Security, Risk Management, and Internal Audit. 

Brian Stone: Brian is a dedicated customer-centric professional with 14 years of combined software and healthcare experience driving success in the form of retention, account growth, and strong customer relationships. In his role, he is responsible for ensuring customers realize the type of business value from FairWarning that drives lifetime customer loyalty. This includes overseeing the functional areas of onboarding, customer success management, professional services, and managed services. 

During his tenure at FairWarning, Brian has held several leadership positions including Director of Sales, Director of Customer Support, and most recently, Vice President of Account Management where he led the expansion activities and renewals within the customer base. Prior to FairWarning, Brian held sales roles at several healthcare technology companies. Brian earned a BA in organizational studies from the University of California, Davis. He is based in St. Petersburg and enjoys sports, the outdoors, mindfulness, and the arts.  

Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.