SCCE & HCCA CEO (gerry.zack@corporatecompliance.org) interviewed (erika.riethmiller@uchealth.org) in December 2021.
GZ: Your undergraduate degree is in German language and literature and international relations, and then you moved into the healthcare field for your graduate studies and professional career. What drove your desire to make this switch?
ER: Upon completing college, and before further study to eventually be a German-language teacher, I wanted to take some time, so I began working at a hotel owned by a major academic medical center in Chicago. The hotel had been built to house patients, their families, guests, and visitors. My job was to increase occupancy of the hotel by marketing it to patients as well as staff who could recommend the hotel as a place to stay. Much of my workday was spent walking the halls of the hospital, interviewing physicians, nurses, and other providers; speaking with patients in the cafeteria; hanging posters in break rooms; etc. It didn’t take long for me to fall in love with everything that the medical center stood for: excellence, quality care, healed patients, grateful loved ones, better lives. I quickly recognized I wanted to spend as much time as I could in the healthcare space, making it better for patients and care providers, of whom, to this day, I am still completely in awe. Their knowledge, desire, and unyielding dedication to help people is something I find particularly inspiring. At no time in my career have we seen this more clearly than now, witnessing healthcare’s dedication in responding to the COVID-19 pandemic.
GZ: The Health Insurance Portability and Accountability Act (HIPAA) was already in place when you began your focus on privacy. A two-part question: First, did HIPAA have anything to do with sparking your interest in privacy? Next, what have been the most significant privacy developments that have affected your work since you started?
ER: In 2001, the healthcare industry was preparing for the April 14, 2003, compliance date for the Department of Health & Human Services’ (HHS) Standards for Privacy of Individually Identifiable Health Information,[1] known today as the HIPAA Privacy Rule. A neighbor asked if I would consider a part-time, temporary role consulting with a department of the State of Colorado to assess its readiness for the 2003 deadline. I was reentering the workforce at that time, having taken several years off to raise my young children to school age. While I had been introduced to the possibility of a federal privacy law during my graduate work in the early 1990s, HIPAA wasn’t signed into law until 1996, so the HHS regulations implementing HIPAA were new to me. I remember thinking how basic the standards and requirements of the Privacy Rule seemed: private information should be locked away in file cabinets when not in use, employees should not share it unless needed for a job-related reason, etc. Helping organizations comply with HIPAA’s requirements fit perfectly into my desire of being a part of making healthcare better. My neighbor’s gracious offer to assist with my transition back into healthcare was an amazing opportunity that set the stage for my future career in compliance. So, HIPAA had everything to do with my interest in privacy!
Privacy has changed since that time. In 2009, President Obama signed into law the Health Information Technology for Economic and Clinical Health Act, as part of the American Recovery and Reinvestment Act of 2009. This was a game changer for HIPAA. It added the Breach Notification Rule, allowed for audits of covered entities, brought business associates directly under the purview of HHS for compliance with HIPAA, and increased the dollar amount of penalties HHS could consider for instances of noncompliance. This rule was particularly noteworthy. For the first time, there was a national requirement to notify individuals if their information was lost or misused in violation of HIPAA. The rule requires that covered entities report to HHS, and HHS post on a public website, any breach of HIPAA impacting 500 or more individuals. Reporting to the media was also required in certain instances. In a single moment, HIPAA became very visible, and organizations subject to it realized noncompliance would be reported to the feds and, in certain cases, displayed publicly.
