This interview with R. Brett Short (roger.short@uky.edu) was conducted in May by Adam Turteltaub (adam.turteltaub@corporatecompliance.org), Vice President of Strategic Initiatives & International Programs, Society of Corporate Compliance and Ethics & Health Care Compliance Association.
AT: How did you first get into the world of Compliance?
RS: It kinda just happened and followed me my whole career — providence perhaps. One of my first jobs out of college was recreating patient accounts that were erased by someone who deleted them and took some money. Another was a practice where the providers were divorcing, and I was tasked with figuring out who took what and unlocking the security installed by a rogue employee. I had a lot of forensics experience, without asking for it, in my first few years out of college. This became the theme with each job I took, trying to get to the bottom of what really happened by doing investigations. Officially, I got into Compliance like a lot folks did, “volun-told.”
Prior to joining the University of Kentucky (UK), I was a consultant, and we were talking a lot about HIPAA in the early days. When I arrived at UK, I began to ask a lot of questions like, “What are we doing about HIPAA?” and “Who’s on point?” I guess I asked too many questions. I met the group that was addressing it, and they did some phenomenal work prior to my arrival. I became Privacy Officer a few weeks before the effective date. It was like jumping into a race car after the race had started. It was a wild ride.
AT: Privacy was still a relatively new area back in 1998. What was the state of Privacy back then?
RS: I was doing EMR [electronic medical record] implementation back in the early days of that industry, and we were talking a lot about impact to the delivery of care in different settings like the hospital and clinics. When I arrived in academic medicine, we simply couldn’t reconcile the early expectations with current practice. College athletics, student dental clinics are mostly open-operatory model, and they presented some real questions with the initial guidelines. Luckily for many of us, the comment period yielded some good results and workable solutions to patient privacy.
AT: There’s obviously been a lot of change since then in terms of privacy. How have you managed to stay on top of all of them?
RS: I was really fortunate to have met and connected with some folks who were really focused on privacy. People like Marti Arvin, Betsy Wade, Richard Chapman, Don Riggs; there was a lot of regional talent that had formed a regional group H.A.W.K. (HIPAA Awareness Workgroup of Kentucky). Regular collaboration and LOTS of reading. I was reading everything I could get my hands on during that time. I made the commitment to regularly read the HIPAA Privacy Rule on a recurring basis and tried to memorize as much as possible. I had a great printed copy of it that became quite tattered. That old three-ring binder is a treasure of mine even today. Lots of memories in those pages.
AT: I don’t think we’re done seeing change. The European General Data Protection Regulation shows how the bar is constantly rising and may have an impact on healthcare providers here as well. How should compliance people think about operating in what’s likely to be a fast-evolving area?
RS: I am regularly amazed how quickly technology is impacting healthcare in today’s environment of shrinking reimbursement. As an industry, historically we’ve been slow to adapt some common technology that others have already embraced. However, in today’s era of Amazon-like expectations, I expect that healthcare will change quickly to meet the public’s expectation of simplicity and convenient delivery. We need to continually understand how the business is operating and where technology and regulation are taking us. Therefore, it is essential to include Compliance at the table when we are discussing and making key business decisions.
AT: In your role as Chief Compliance Officer for the University of Kentucky healthcare, you oversee a broad enterprise that encompasses an academic medical center, physician group practice, and Colleges of Medicine, Dentistry, Nursing, Pharmacy, Health Sciences, and Public Health. How do you build a consistent approach across such a broad enterprise?
RS: Great employees — I couldn’t do it without them. I truly have an incredible team. If I’ve been successful, it is because of the bright people that I meet and the great employees that we have in Compliance. I mentioned earlier that I benefited greatly from exceptional people in the region, constantly connecting and learning from them. When I teach in HCCA’s Privacy Academy, I constantly urge them to connect and collaborate with people they meet in the Academy; they are likely to become lifelong colleagues and friends.
AT: How do you handle pushback when someone says, “Well, that’s fine for them but not for us”?
RS: I think success begins with agreeing on the outcome. We can all agree that we want what is best for the patient. Whether in a hospital, lab, insurance plan, or a dental clinic, everyone can agree on good outcomes. Compliance makes it better.
AT: The shift to EMR has been likely a huge benefit for patient care, but carries huge privacy risk, as we all know. What are you and the UK doing in this area?
RS: We have a great CIO [Chief Information Officer]. She has taken the approach of treating our data as an asset. With that approach, we are careful to look at how we collect, create, and manage the data in a way that shows true value. It is a collaboration between the Information Security Officer, the Privacy Officer, and our office. We want to ensure that when we have great patient care, we don’t get careless and ruin a great clinical experience by being careless with their privacy/data.
AT: Corporate Compliance and Ethics Week is celebrated the first week in November. This designated week offers compliance professionals the opportunity to roll out their annual training, create awareness among the workforce, share new policies, etc. This year it is November 4–10, 2018. Will UK HealthCare be celebrating, and if yes, would you share some of your plans with us?
RS: We are planning to use Corporate Compliance and Ethics Week to highlight and reinforce “tone at the top” in our organization. We have a new leader in the medical center, and this will be the perfect way to share his thoughts and focus on compliance. I think it is very important for leadership to routinely emphasize “doing the right thing” and the organization’s commitment to the right way of doing business.
AT: In addition to your UK work, you serve as an outside expert on the University of Cincinnati’s audit and compliance committee. What do you think makes for an effective committee in terms of staffing and scope?
RS: I give a lot of credit to the board Chair. She recognized that they needed an objective expert in an area that they didn’t have represented on the committee: privacy and compliance. This experience has been more beneficial for me than I’ve been for them. Sitting on the “other side” of the table, asking questions objectively about things that I do every day has been great. An effective committee must have a strong Chair and subject matter expertise in the areas of activity performed in that organization.
AT: How do you help keep the committee focused?
RS: The Chair must set the tone. As I mentioned earlier, the patient will have a better experience and outcomes if we get the compliance and privacy things right.
AT: Let’s move off of the traditional type of questions for a bit, and onto the personal. When not busy with compliance at UK and serving on the SCCE & HCCA board, you are also a farmer who raises cattle. Does any of your compliance work have an impact on your farming?
RS: Not really. Farming is something I grew to dislike as a kid. As I grew older and became better in sports, the two competed for my time. After college baseball ended and my prospects grew smaller for playing at the next level, I unexpectedly returned home to Kentucky to help my father on the farm when he was diagnosed with cancer. After his passing, the love for nature, animals, and a simpler life returned in a big way. I love the farm now. It is a good balance to the busyness of the job and a rapidly growing academic medical center. I can slow down and recharge by being on the farm with my family on the weekends.
AT: What about the other way? Any compliance lessons you’ve learned from your work on the farm and with the cattle?
RS: You must know your business, stay in tune with the ins and outs, the trends, define the targets and the desired outcome. In farming, there are tasks associated with each season — mowing in summer, harvesting in the fall, feeding in the winter. The same is true for healthcare compliance. During the season of change, it is important to reinforce tone during the change of leadership. When things are slow (does that really happen?), work on projects. When things are busy, never forget the “why” of the “what” we are doing. Most importantly, wear your boots; it is not a matter of if you step in “it,” but when you do, you’ve got to be prepared.
AT: Let’s come back closer to home. What led you to run for the board of SCCE & HCCA?
RS: I’ve had a few friends in the industry urge me to serve for a few years. I honestly was very humbled at the requests and urging by colleagues. The board has some of the legends in the compliance industry. I sat in awe in my first meeting that I was a part of: such a great collection of minds and a great organization. I am truly honored and humbled to be a part of the board.
AT: Finally, how do you see compliance evolving over the next few years?
RS: With healthcare reimbursement being a political football, I think we are seeing the new norm. With the change in parties comes the change in philosophy of reimbursement and payment methodologies. The current administration is seeking regulatory relief, and we’ve seen some recent changes with student documentation. If this continues, we will certainly have many changes to implement and monitor change. On the privacy front, OCR [Office for Civil Rights] has indicated they want to modernize some of their guidance to be applicable to existing and emerging technology, and that will cause some shifts in application and assessment. Lastly, we’ve seen recently in the news the public attention to the monetization of data. I think we’ve not seen the last of privacy regulations.
AT: Thank you, Brett, for sharing your expertise with us.