Interview: John Jessop, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA
HIPAA Journal is conducting interviews with healthcare professionals and service providers to find out more about their compliance journeys, how the HIPAA Rules have affected their working lives, and the successes and challenges they have faced with HIPAA compliance.
John Jessop, MHA, CISSP, CHPS, HCISPP, CISA, CMPE, Sr. Director, HIPAA Security & Regulatory Compliance, PPFA has shared his thoughts.
Tell the readers about your career in the healthcare industry
I started my healthcare career as a lab tech back in 1982. Since then I received a Masters in Healthcare Administration from Baylor University, have worked in hospitals in a variety of roles from Facilities Management and Safety Management to Family Medicine Residency Program Administrator to VP of Physician Services, managed a number of physician practices, functioned as a healthcare software salesperson, worked as a consultant, was a VP of IT, and finally ended up as a Senior Director, HIPAA Security and Regulatory Compliance for a national corporation.
What was your first position?
My first position in healthcare was working in a hospital lab. After rotating through all lab sections, I focused in Microbiology, and then worked in the Morgue assisting in autopsies and doing Histocytology-related job functions. I found that I liked working in healthcare because of its mission, and wanted to try working in different areas in support of healthcare providers.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
What is your current position?
At present, I am the Senior Director of HIPAA Security and Regulatory Compliance at a national healthcare organization, and work remotely for our Manhattan office. My office is responsible for keeping our affiliates informed regarding regulatory changes at both the Federal and State-levels. I lead our HIPAA Committee and Subcommittees (Privacy, Security, and Risk Management), and our Data Privacy Committee. I also participate in our Data Governance Committee and support our Enterprise Risk Management Committee.
What are the main challenges in your position?
The foremost challenge is HIPAA itself, and the lack of Federal guidance related to data privacy and security. HIPAA is extremely dated – it was drafted in 1994/5 and became a law in 1996. Prodigy and AOL were the major internet players then, and EHRs were not in widespread use. Most recently, HHS OCR issued an NPRM regarding a number of HIPAA Privacy Rule modifications in December 2020, and yet still nothing has changed. With respect to HIPAA Security, the 2021 HIPAA Safe Harbor Rule provides a mechanism for an organization to potentially lessen fines or penalties assessed by HHS OCR if an organization follows a recognized cybersecurity framework guide like the NIST Cyber Security Framework (CSF) or the 405(d) Committee’s Health Industry Cybersecurity Practices (HICP), but HIPAA still only has high-level, dated security guidance. We have had to push to implement policies and practices that are not spelled out under our guiding healthcare privacy and security regulation (aka HIPAA), a battle that requires ongoing leadership and Board education to ensure that appropriate budgetary support is secured. Having a law that we could point to would help us get what we need to ensure that our patient’s data is both secured and kept as private as is possible.
Are you working on any interesting projects?
We are implementing a privacy and security State and Federal legislation tracker that will be pushed out to all of our affiliates. It has been a fun project which pulls data from a third party into our data analytics platform, and then is posted to our corporate intranet.
When did you first get involved with HIPAA compliance?
My first HIPAA-related role was as a WEDI-SNIP Committee member for NH/VT back in 2000. We worked with the NH and VT Hospital Associations and Medical Group Management Association to help healthcare organizations become familiar with HIPAA, Administrative Simplification, and HIPAA Privacy requirements. When I worked as a consultant, I provided organizations with Privacy Policies and Security Manuals. I currently work with our Office of General Counsel elements, our State and Federal Policy Teams, our affiliates, and our IT/InfoSec Departments on HIPAA and other regulatory issues (like the 21st Century Cures Act, COPPA, the FTC Act, etc.).
What do you think needs to be improved in the HIPAA regulations?
The HIPAA Privacy Rule needs to be updated to reflect current industry concerns, such as privacy related to interoperability, protections around reproductive healthcare data, the role of social media in healthcare, the addition of new covered entities, addressing personal health applications, and changes related to data privacy management. The HIPAA Security Rule should be tied directly back to the 405(d) Program’s HICP or to the NIST Cybersecurity Framework. HIPAA Security Rule requirements should be far more prescriptive. Additionally, HHS OCR should be required to provide an annual update of the HHS OCR HIPAA Audit Protocols.
Do you have any predictions for the future of healthcare regulation?
HIPAA/HITECH and the 21st Century Cures Act will gradually be amended to come into complete congruence. I predict that there will eventually be a uniform data privacy act, but I only have 9 years to retirement so I may not see it. I think that there will be a strengthening of information security requirements across Critical Infrastructure Sectors primarily driven by financial pressures caused by the impact of ransomware. Here again, the States seem to be doing more in that area than the Federal government, but the security legislation is fairly haphazard and inconsistent across industries.