Kaiser tackles HIPAA compliance with increased training

HIPAA compliance is everyone's job at Kaiser Permanente, says Jim Doggett, its chief security officer and chief technology risk officer.

"Key to compliance is training, training, training, and then more training," he says in an interview with Healthcare Payer News. Employees must understand their role in protecting patient information, he says, and it makes that expectation clear. In addition, he says, Kaiser strives to create an environment where employees can raise compliance concerns.

Doggett joined Kaiser more than years ago from the financial services industry, which he characterizes as more mature from a regulatory perspective.

He oversees a 300-person team that works to ensure the security of about 273,000 desktop computers, 65,000 laptops, 21,700 smartphones and 21,000 servers--as well as the records of 9 million members. It employs encryption on devices and on data in transit.

The organization has had its breaches and compliance issues--most notably when 300,000 patient patient records were found to have been stored in a couple's Los Angeles-area home.

Its response policy, Doggett says, is to contain a breach, analyze why it happened to prevent it happening again, notify those affected, and to require annual training of all staff and physicians.

Ensuring privacy and security involves more than just protecting the data, he says, but has to include concerns about how those efforts affect patient care.

"We are always looking at security from the consumer perspective, and this is when we can best meet the business need," Doggett says.

The U.S. Department of Health & Human Services' Office for Civil Rights will resume HIPAA audits this fall with a narrower focus and fewer onsite visits. OCR has been leveling some whopping fines in HIPAA cases recently, including $3.3 million against New York-Presbyterian Hospital for "lack of technical safeguards" on a physician's own server.

In March, HHS unveiled a security risk-assessment tool to help healthcare providers in small to medium-sized offices.

To learn more:
- read the interview