Executive Voices: Vanessa Benavides, J.D., Chief Compliance and Privacy Officer at Kaiser Permanente

Samara Rosenfeld
JULY 26, 2019
Vanessa BenavidesFor health systems, the advent of new healthcare technologies has led to increased concerns of Health Information Privacy and Accountability Act (HIPAA) violations and compliance issues.  Fears exist regarding the present and future of health data privacy and security. Dealing with sensitive health information is no simple task, and health systems must build trust with their patients and train their staff to be diligent in every move they make.
 
As senior vice president and chief compliance and privacy officer at Kaiser Permanente, Vanessa Benavides, J.D., works hard to ensure that the health system and health plan comply with health data privacy regulations. Through staff training and cybersecurity awareness campaigns and by testing claims that health technology is HIPAA-compliant prior to implementation, Benavides strives to fulfill Kaiser’s mission of providing high-quality, affordable healthcare to patients and members.
 
Benavides earned a law degree from the University of Iowa College of Law and a bachelor’s degree. from Vanderbilt University. She serves as co-chair of the Human Rights Campaign Board of Directors. In 2014, Dallas Business Journal recognized Benavides as a top minority business leader. Before her work at Kaiser, she served as chief compliance officer for Tenet Healthcare, where she managed ethics and compliance programs.
 
I spoke with Benavides about her compliance approach, common issues and how she views other organizations’ strategies to better equip Kaiser and its patients.
 
Editor’s note: This interview has been lightly edited for length, style and clarity.
 

Samara Rosenfeld: What strategies do you and Kaiser have to ensure compliance with health data privacy regulations?

Vanessa Benavides: Technology and the way we use data are a fact of life and are becoming more and more ubiquitous. I, for one, think that’s a good thing because I think tech really enhances our strengths. It enables us to be more connected, more productive and often more efficient. At the same time, technology can really introduce risk into our environment. It’s really difficult to ensure 100% compliance, but we strive for that outcome by focusing on the basics. The way I look at it is a simple framework that involves people, the processes we follow and the tools that we use to monitor our processes and mitigate our risks.
 
It really does start with people. While everyone uses and is impacted by technology, not everyone understands it or has a full appreciation of the risks that it can introduce. And they don’t always have a full appreciation of the pitfalls that they can fall into when they use technology. For these reasons, we believe it’s really important to create a culture of awareness first and foremost because when we know better, we do better. It’s a simple concept.
 

SR: So how do you succeed in creating a culture of compliance and awareness?

Vanessa Benavides: We do quite a bit of training, awareness campaigns and some knowledge tests. We also embed controls into our processes. We have a technology risk office led by our chief information security officer. The compliance function and that office set standards for our security protocols, and they vet new technologies and assure they meet appropriate privacy and security standards, including all of those regulations. As a matter of routine course, they also perform ongoing security risk assessments of our vendors. These assessments really create a continuous feedback loop that helps inform our areas of opportunity.
 
The other thing we really strive to do is acknowledge that the environment is always evolving. Effective compliance programs continuously monitor performance against our standards and those regulations. We strive to be learning regulations, and that requires us to consistently assess our risks, whether they’re external or internal, because maybe our business is changing, or we are introducing new technologies. Then we update and refine our standards, we test our performance where we can and then try to focus our resources on those places where we have the opportunity to improve.

It’s sort of a comprehensive and programmatic way of thinking about how we comply with regulations. But we see it as bigger than that. Regulations are the foundation, but it requires programming around them to make sure we are on top of it.
 

S.R.: What does cybersecurity training entail?

Vanessa Benavides: Training is absolutely necessary, but it’s not a silver bullet. You really have to help people understand the risk environment in which they work and where they can have pitfalls based on decisions they make.
 
First and foremost, we do annual compliance training, but really, it’s ethics training. It’s meant to help people understand how to make good ethical decisions, which, frankly, is just the notion that everything we do, we think about the best interest of our members, our patients and the communities in which we operate.
 
If you keep that front of mind, most of the time you’re in pretty good shape. And then we drill down, particularly for people with certain job descriptions or functions, into more technical training, where we are getting more into the processes that they engage in every day.
 
Then we do another thing, which I think a lot of companies do these days. There are so many external threats coming into the environment and bad actors trying to trick well-intentioned people, so you get a lot of phishing emails or attempts to make you mistakenly do something that will allow attackers access into your systems. So we run campaigns where we present our employees with phishing emails to see if they’ll click on it. If they do, they get contemporaneous or immediate training or redirection about what happened, the decisions they made and the risks that could have come from that had it not been us doing a knowledge test.
 
We also track to see if we have people who fall for those things more than once. They might get some one-on-one time. It’s just a constant evolution of trying to make sure you’re staying on top of people’s awareness, knowledge and skills to be able to navigate in this risk environment.
 

S.R.: What are some common compliance issues at health systems?

Vanessa Benavides: As a healthcare organization, we’re entrusted to take care of people at some of their most vulnerable times. In order to do our jobs well, our members and patients have to feel safe sharing themselves with us. They have to trust us with their sensitive health data, their financial information and, quite literally, their well-being. They must trust that we hold their best interests as our top priority in everything we do.
 
Implicit in that trust, they have to make some assumptions. They assume that we’re following all of those regulatory requirements, which are in place to keep them safe in our care. They assume we’re protecting their personal data and that the professionals taking care of them are properly credentialed and fully capable of taking care of their needs.
 
So, common compliance in health systems really stems from those expectations. Privacy and security is a very big area for us. Licensing and accreditation requirements for our buildings and different service lines that we provide. Also, conflicts of interest in the environment. You want to make sure that you’re making business decisions based on the best interest of the patient and not some other business interest.
 

S.R.: How can hospitals and healthcare leaders best overcome these challenges?

Vanessa Benavides: Executives and leaders at all levels should really set the right tone in understanding that the purpose of compliance programs is to create and maintain the trust of our stakeholders — patients, regulators, our employees and communities in which we operate. Leaders need to take a proactive approach and engage their compliance teams early and often to craft the best approach to different business initiatives. Striving to be proactive is a rule of thumb. It’s never going to be 100% proactive, but if you have a proactive mindset and try to anticipate and understand the risks in your environment and what you’re trying to achieve in keeping the patients, members and stakeholders at the forefront of every decision you’re making, that’s a good place to start.
 
You’re always going to have things to react to — that’s just a part of it. You need to be proactive with your people. Healthcare is so much about people — and people taking care of people. You need to make sure your people are aware, well-trained and have the skills they need and understand their role in creating the right culture and a culture of compliance. Then you have to look at your processes and make sure you have the right controls in place to the extent that you can have control. That often includes technology.
 
If you can embed good, automated, technologically supported controls, it takes some of the load off the human being trying to figure everything out and helps you be efficient.
 

S.R.: When you look at health IT software and medical devices, vendors and developers are claiming that their products are HIPAA-compliant. How should health systems view that claim?

Vanessa Benavides: It’s incumbent upon us to test that claim and make sure that we are introducing technologies and software into our environment in a very diligent and thoughtful way.
 
Our technology risk office really takes the lead on that, to make sure we have good diligence processes around anything we bring in. I think that’s good practice. It’s never 100% perfect, but it’s our obligation to make sure that we as healthcare organizations are not only following the rules and regulations, but we are thoughtfully introducing technology into our environment because we take care of people all day long and the risks are very high.
 

S.R.: How has the digital transformation in healthcare affected compliance and privacy in health systems?

Vanessa Benavides: The privacy aspect of it has evolved quite rapidly recently. In the healthcare world, we’ve been dealing with privacy regulations for a very long time, but they’ve been very focused on typical healthcare transactions. As the privacy conversation expands more to looking at privacy through the lens of the consumer in a much broader way, that impacts the privacy conversations going on in the healthcare space. You have to really think about your patients and members as consumers first and their expectations, not just as what we’ve defined as protective healthcare information, but all of their data. Consumer expectations of privacy are evolving, and it’s forcing the industry to think about it in a broader way.
 
At the same time, consumers expectations of access to their data are also expanding. We are living in a world where people have expectations of 24/7 access to data and customized data. They want them on their phones, when and where they want them. You’ve got these competing interests here. You have, “I want more access,” and, “I also have a much more heightened interest in my privacy and what you’re doing with the data I’m sharing with you.” So, it’s a very dynamic space right now and a really interesting one, not just in the U.S., but all over the world.
 

S.R.: How do you develop strategies and embed compliance into operations designs?

Vanessa Benavides: I always start with identifying the value proposition of a compliance program. To me, effective compliance programs have a very simple value proposition. They build trust, thereby leading to a competitive advantage. What I mean by that is that we are a mission-driven organization. Our mission is to provide high-quality, affordable healthcare to our members and community. We can’t achieve our mission if people and organizations don’t choose to do business with us.
 
It’s an age-old adage that people do business or engage with organizations that they know, like and trust. Effective compliance programs build trust. We build trust in our systems, with our business leaders and with society and the communities we are in. If we’re operating in a way where we’re violating rules, breaching people’s privacy and don’t have good security controls, folks aren’t going to trust us or choose to do business with us.
 
I look at our compliance program as a trust builder that helps us and our business be chosen by the consumer. We really seek to embed that very simple concept throughout our compliance program. It’s our guiding principle, and I think it makes compliance easier to navigate. It’s more of a values-based concept, rather than a rules-based approach. Of course, we have plenty of rules and policies, and they’re very important to us and guide us, but we focus our decision-making on what is in the best interest of our members, if the decision increases or decreases trust and if our patients, members and communities would agree that this is the best decision.
 
When we take this approach, it really enforces this understanding that compliance is a shared responsibility. We have a shared responsibility to create a culture of ethics and compliance across Kaiser Permanente. It’s a strategic framework that informs the tactics that we use to drive compliance.
 

S.R.: Do you ever look at what other leaders at other health systems are doing to put you in a better position at Kaiser?

Vanessa Benavides: Bringing the outside in is always important, just to test your own assumptions and understanding and hopefully learn and maybe incorporate a few things. I try my best to stay akin to what other large organizations are doing, whether in the healthcare space or outside. For ethics and compliance programs, while it might be different subject matter, the concepts are very similar. So, I like to look across industries.
 
I also like to understand what benchmarking organizations might be looking at. What are the Gartners seeing? There’s an organization called Ethisphere that is very focused on ethics and does a lot of rankings of organizations around using its ethics criteria or quotient. I look at that. 
 

S.R.: What is an executive pearl of wisdom you would like to share with your peers?

Vanessa Benavides: The only difference between a good day and a bad day is me. What I mean by that is, when you’re a busy executive working in a complex industry, you’re going to have good days and bad days. But what I’ve realized is that they’re all the same. It’s all about my choice, attitude and how I reacted to it.

Get the best insights in digital health directly to your inbox.

Hear from More Executive Voices
David Klementz, Chief Strategy and Development Officer at Encompass Health
Wendy Sue Swanson, M.D., MBE, Chief of Digital Innovation at Seattle Children
La'Wana Harris, Global Diversity and Inclusion Consultant

SHARE THIS SHARE THIS
14
Become a contributor