Interview: Caroline Cook, Privacy Consultant, GDH Government Consulting Services

By | November 17, 2022

HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.

Caroline Cook, Privacy Consultant, GDH Government Consulting Services, has shared her thoughts

Tell the readers about your career in the healthcare industry

I’ve worked in healthcare for over 30 years. I’ve always been drawn to healthcare. As a teenager, I volunteered in hospitals and nursing homes. I earned a BA in Social Work and have spent the majority of my career working in acute care settings. My professional goals changed over time. I remained in acute care, transitioning to roles more specifically related to compliance. That led to my serving as the Privacy Officer for the hospital beginning with the implementation of the Privacy Rule. A few years later I served as the Chief Privacy Officer for a multi-facility health system. I then left acute care and began a career as a Privacy Consultant, obtaining three different certifications as an information privacy professional. I see my healthcare career as this amazing gift I’ve been given. It’s allowed me to be a part of this “realm” that is at its least described as an industry, but at its best is a combination of art, science, faith, technology, constant dedication, and compassionate intent. Everything in healthcare treatment and delivery is evolving quickly. It’s truly amazing. And, we’re only at the beginning.

What was your first position?

My first professional experience in healthcare was as a licensed social worker in an acute care hospital. My role included discharge planning, crisis intervention, facility placements, and case management. My role provided opportunities to work in outpatient, inpatient, and psychiatric care divisions, as well as opportunities for me to participate in compliance efforts, including the Joint Commission Readiness team, where I gained invaluable experience of compliance on a larger scale.

What is your current position?

I’m a Privacy Consultant employed by GDH Government Consulting Services. I’m currently on contract to a State Medicaid Agency’s Privacy Office. I’ve been in this role with the state agency for several years. I perform most of those duties performed in any healthcare privacy compliance office. This role has given me the opportunity to see the healthcare system from a very different perspective, that of payer and public service organization. I believe that puts me in the “thick of things” as far as the current healthcare landscape goes.

What are the main challenges in your position?

There are the usual challenges of budget, time, reluctance to let go of “the way we’ve always done it”, and the like. But the main challenge in this position, as in every position I’ve had over the years, is changing the cultural perception of compliance, not just information privacy and security compliance, but compliance as a whole. I believe the most successful way to achieve healthcare privacy and security compliance, successful interoperability, and genuine patient access and participation is by first understanding the primary goal is to provide the best healthcare delivered in the best way so we can help individuals, children, families live healthy and productive lives. It’s hard to move perceptions of compliance from the “avoidance of penalties” mode to the “pursuit of happiness” mode. But, that’s what has to happen if we want our healthcare workforce and compliance efforts to keep pace with the amazing technical evolution in healthcare.

Tell the readers about any significant event in your career

The most significant “event” in my career was a series of events really. I had gone into healthcare with the idea that I would always work and interact directly with patients and families. I thought that was the way I could make the biggest difference in the world. As I became more involved in compliance and other administrative efforts, I finally understood the critical part that those “behind the scene” folks play in making it all work. That made me think I could make a difference in bridging the gaps between the front lines and the administrators – something that has to happen when you want the best outcome for patients and families.

Are you working on any interesting projects?

There are so many projects underway currently. Medicaid modularity, health information exchange, patient access APIs and apps. In every project that touches personally identifiable information, we’re working to ensure privacy and security considerations are included at the initial planning stages. On a personal and professional level, I work hard to attend workgroup meetings virtually on several federal projects: TEFCA, Interoperability, WEDI Privacy and Security Workgroup. While I’ve done very little “work” on those projects, the ideas exchanged are helpful in understanding the short- and long-range vision.

When did you first get involved with HIPAA compliance?

In 2002 I was asked to lead the implementation of the Privacy Rule provisions at the acute care hospital where I worked. I accepted, but had no idea how much I didn’t know that I didn’t know. Most of my knowledge of HIPAA had been related to portability and the “prudent person” provision for emergency treatment. I definitely learned on the job. HIPAA isn’t a simple list of do’s and don’ts. I think most of us working with HIPAA now know that our understanding or interpretation of any Privacy Rule provision is always a work in progress. Continuous reading and discussion with colleagues is a must.

What are your main challenges regarding HIPAA?

HIPAA, specifically the Privacy Rule, has very little definitive provisions. Those that are in part definitive (or seem to be), are weakened by limited specific interpretive guidance. Some are made confusing, by other provisions that provide vague exceptions, or exceptions to exceptions, or seemingly theoretical applications. Professionals in my position have and continue to work within HIPAA enough to be confident in our interpretation. The challenge is taking that interpretation and making it more definitive yet flexible enough to apply it to everyday situations so we can properly train staff. Every day in every healthcare-related entity unique situations occur. Many just don’t “fit” with the generic examples provided in HIPAA guidance. The most important fact training should include is to pause and call for guidance before acting if you’re unsure whether a use, disclosure, or collection of information is permissible, and to what extent.

Do you have any predictions for the future of HIPAA?

I think, specific to privacy and security, HIPAA has served as the force that set things in motion. HIPAA is over 25 years old. Changes in every facet of healthcare have blown through HIPAA to the extent, in my opinion, that HIPAA actually impedes progress and possibly compliance with other related regulations. I think we’ll have “HIPAA” in some form forever, but not as it is now. The principles of information privacy and security are the same regardless of the industry or the sector of government oversight. But healthcare is a unique realm. Whether as a stand-alone regulatory Act or as a carve-out of a comprehensive federal law, there will be unique privacy and security regulations. Many of the current requirements were written based on manual processes. As technology continues to advance, definitive privacy and security requirement actions will be built into the tech (not referring to machine-decision making here) making some provisions obsolete. Some of the decisions programmed into the tech will require certain obsolete HIPAA provisions to be modified to allow individuals to opt-out of automated decision-making. Ideally, merging HIT, HIPAA, etc. regulations will occur as innovations make it feasible.

Do you have any predictions for the future of healthcare technology?

I doubt at this point we can conceive of just how far healthcare technology will evolve. The endless branches of what we call healthcare are already beginning to overlap. Innovations in technology and research will lead to more and more prevention/intervention before birth, before conception even, likely eradicating many of the health challenges we face today. On the other end of that spectrum will be advances that simplify and make safer treatment of illness/disease with better outcomes. Healthcare technology in the treatment of spinal injury paralysis, the development of prostheses, tremor control – all are already happening to a degree and will improve exponentially from now to….

Do you have any predictions for the future of the healthcare industry?

Not so much a prediction, but a hope. To truly provide quality healthcare to people, technology should be used and developed to the greatest extent possible, but should be done so as tools or resources that a knowledgeable, skilled, and compassionate healthcare practitioner can use in the art of practicing medicine.

The post Interview: Caroline Cook, Privacy Consultant, GDH Government Consulting Services appeared first on HIPAA Journal.