Q&A

Providence Health CSO on Recovering From HIPAA Violations

Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services, opens up about the organization's efforts to bounce back from HIPAA violations.

By Bill Brenner, Senior Editor

Page 3

Give an example of the difference that is made.
Cowperthwaite: A good example is when you have a new significant risk to the company, the theft of and malicious use of data, for instance. Having support from the senior execs means you can elevate the visibility of that risk to the appropriate level without being stuck in the position where you have to bring it to a mid-level manager who can't do anything about it anyway.

If you are the CSO of an organization and a regulatory agency comes along and tells you the company is out of compliance, what is the right or wrong way to respond?
Cowperthwaite: If a regulatory agency shows up on your doorstep and suggests you are out of compliance with HIPAA, PCI or some other item, treat it like any other security incident. You should automatically activate your crisis management team, which should include general counsel, human relations, public affairs, etc. Typically the agency serves you with a formal letter or subpoena, depending on the scenario. That represents a crisis for the company.

You then need to determine whether the complaints are right or wrong. Ether way you need to go into a response mode and be prepared, in conjunction with your attorneys, to work with the regulators and not fight them. Unless you have something really bad, like with Enron, the regulators are not setting out to do you in. Your best bet is to be as cooperative as possible so you don't have to resort to court action.