Karen Siragusa from the finance team at Utah Valley Hospital asked CEO Dr. Marc Harrison:

  • Now that we’ve partnered with global organizations for our patient account services, how are we ensuring all protected health information is kept safe?
  • Is our data at greater risk of being stolen now that global partners are involved?
  • If there was a breach of our data in a foreign country, how would we know and how would we respond?

Key points Marc shared in response:

  • Any third-party supplier only has access to the minimum amount of patient information needed to provide the contracted service to Intermountain.
  • All third-party access is closely monitored and regularly audited to make sure they follow correct privacy and cybersecurity practices, just like is done with our own caregivers.
  • Access to patient information by our partners outside the U.S. is available only through a secure view-only solution — which means workers can’t make screenshots, copy text, or even bring their cellphones into the work area.
  • Intermountain representatives have visited all contract facilities and have certified they’re secure.
  • All our third-party suppliers are required to promptly report privacy and security breaches to Intermountain and if they happen, to work with us to mitigate any breach. This includes working with our breach response vendor, which manages breach notification, a call center, identity repair, and credit monitoring for anyone involved.

Marc Harrison, MD: Today, I'm with Karen Siragusa, who works in finance at Utah Valley Hospital. Karen, please tell us a little bit about yourself. And then, I'd love to hear your question and what's on your mind.

Karen Siragusa: Okay. I started out with Intermountain in accounts payables, worked there for three years, and then transitioned into reimbursement. What we do in reimbursement is monitor the Medicare and Medicaid payments and prepare cost reports for the hospitals.

Marc Harrison, MD: It sounds complicated. Do you like it?

Karen Siragusa: I do.

Marc Harrison, MD: Good. Good.

Karen Siragusa: My question is: Now, that we've outsourced some of our services and gone more global with our patient account services, how do we keep our PHIs safe?

Marc Harrison, MD: That's a really good question. I treasure our patients' privacy, and it sounds like you do, too, right?

Karen Siragusa: Yeah.

Marc Harrison, MD: So, keeping them safe means making sure that bad things don't happen to them in the hospitals or operating rooms and the clinics, but it also means that we're really careful with their information. I got wind of your question, and I had to do research because I'm not an expert in this area. But I'll tell you some of the things that I learned. I learned them from Suzie Draper, who's our Chief Compliance Officer, who I've got a lot of respect for.

So, the first thing is that we adhere to a rule regardless of who manages our patients' information that they should only have access to the absolute minimum amount of information that they need in order to make a decision, and that's particularly true for folks that work at a distance. Anybody who we contract with to manage information, they actually are held to all of the legal standards whether it's HIPPA or others, all of our business practices, but we also have an audit function that sits on top to make sure that they're using the information in the best and most patient-centered way possible.

And then, on the looking overseas front, they only have access to the limited information but only in a read-only format, so they can't even take a screenshot of it. And so, in addition to everything that I just said in terms of HIPA, other legalities, our best business practices, their contractual obligations, they then actually have limited access to information based on how the system is configured. So, we have, I think, lots of layers of protection there. When a breach does occur or if a breach occurs, then there's a whole level of interventions that are prescribed and actually managed and reviewed by the audit and compliance folks to make sure that things are done as well as possible.

Does that help you at all?

Karen Siragusa: It does. I feel like we're more vulnerable now that we're outsourcing to foreign countries as far as we lose the control. When it was done locally, I felt like we had more control over how we handled the information and who had access.

Marc Harrison, MD: Yeah. I can appreciate that, and as a non-content expert myself, I have to rely on sort of the policies, procedures, the compliance folks, et cetera to help make sure that we do this well. And this isn't something that we've just made up, and we're certainly, certainly not the first organization to work on a much broader scale. And again, remember that the stuff that's done overseas, it's in a limited and read-only format, so we are not actually sending people's data overseas, just so you know that.

Karen Siragusa: Don't they have access to patient information? So, name, address, date of birth-

Marc Harrison, MD: They-

Karen Siragusa: ... things can be sold.

Marc Harrison, MD: They do, but by the same token that can be sold from here as well.

Karen Siragusa: So, if there is a breach overseas, how would we know?

Marc Harrison, MD: Because we have an audit and compliance function that watches them in the same way that we watch here, and we're able to take action accordingly, both legal action but also business action. The question in my mind becomes ... All of this cyber stuff is very difficult and risky. And now, we just saw a hospital system being taken hostage recently by folks who inserted malware. That was actually domestic. That was not overseas. These are global problems. We're functioning in a global world. We've got domestic risk, and we've got international risk. The question is: How do we manage it, minimize it, mitigate it, and are as successful as possible in fulfilling our mission to help people live the healthiest lives possible, be a model system, which includes keeping healthcare as affordable as we can make it? Not simple. Do you have suggestions, Karen? I mean I'd love to-

Karen Siragusa: No. I don't. I don't know what the laws are in foreign countries, or how we keep that information safe. I think that in places that are lower income that crime is higher. There's more incentive for that just kind of thing to happen in my mind.

Marc Harrison, MD: Well, thanks. What I can certainly do, why don't we also send you and create a link on this podcast the information that compliance uses because maybe you'll feel better when you're able to see the description? And I'm not sure-

Karen Siragusa: Well, being a consumer of our healthcare, that's my information that's out there, also. So-

Marc Harrison, MD: Mine, too.

Karen Siragusa: Yeah. And then, how do I, if there were to be a breach in a foreign country, what is my recourse? If it was local, I would feel much more we've handled the problem. We've done A, B, and C. Or if it's in a foreign country-

Marc Harrison, MD: So, what the compliance folks assure me is that they have teams there, and they personally review information when or if there's a problem. And I'll tell you that our teams actually have been physically to all the places where work is done to look at their safety and security and make sure that it's up to snuff, not just a local standard but on a global standard.

We retain responsibility, of course. But our partners also have shared accountability as well.

Karen Siragusa: Okay.

Marc Harrison, MD: So, they've got business responsibility, and they've got legal responsibility. And we hold them accountable to that. Do you have other questions? Or ...

Karen Siragusa: No. I think I'm good now.

Marc Harrison, MD: Okay. Well, let us make sure that we follow up with you, and would you like to have a conversation with our compliance folks so that you feel better?

Karen Siragusa: I would like to see what is entailed in keeping that.

Marc Harrison, MD: Okay. We'll make that happen.

Karen Siragusa: Thank you.

Marc Harrison, MD: I appreciate it.