
Founded in 1915 and comprised of
◦ 5 Acute Care Facilities (Approx. 2000+ beds)
◦ Substance Abuse Facility
◦ Behavioral Health Facility
◦ Approx. 31,000 workforce members (FTEs, Contract, etc.)
◦ 1300+ Member Medical Group
◦ 900+ Member Physician Network (Non-Employed & Private Practice)
◦ Health Plan serving approximately 640,000 members
◦ Home Health, Retail Pharmacy, Optical Care, Hospice, Occupational
Health, Extended Care Divisions

In 2011
◦ Awarded the prestigious Malcolm Baldrige National Quality Award
2
3

Reported this incident to the CEO, COO & Board alerting them that this will
be a media reportable data breach

Pulled together loosely developed teams to respond to the data breach with
no external breach support

Conducted a Root-Cause Analysis to determine the program gaps and
support necessary to strengthen the privacy & security program

Effectively shared with the Executive Leadership that this is more “cultural”
than it is “procedural”

Shared with the Board that our incident history shows that we will have
more of these reportable incidents in the future
4
5
IPSO MISSION
To establish a system-wide culture of
confidentiality through education, accessibility,
and a customer focus where privacy & security is
viewed as paramount in our daily operations.
IPSO VISION
Cultivating a collective mindset where
protecting privacy & security is a part of our
standard of care
HFHS MISSION
To improve people's lives through
excellence in the science and art of health
care and healing.
HFHS VISION
Transforming lives and communities
through health and wellness - one person
at a time.
6
Information Privacy Program
Enterprise Risk
Assessment Program
Information Privacy & Security Office
Policy Development, Education, Access Controls
Administration, Business Associate Management,
Patient Rights Management
Information Security Program
Incident Response Program
7

Any routine investigations and incidents that may result in a breach must be
forwarded to the IPSO for a Code A(ssessment) and potential Code
B(reach) Alert

Investigations are led by the IPSO in conjunction with operational
management and Human Resources

All investigative documentation (i.e., notes, interview transcripts, audit logs,
etc.) should be stored in our centralized repository to ensure the ability for
metric reporting and auditing

Corrective Action always recommended by the IPSO in accordance with the
outcome of the investigation
◦ Application of corrective action is consistent across business units and
employee types

Re-education required for the entire department within 30 days of
investigation closure not just the offender
8
IPSO COUNCILS & RESPONSE TEAMS

Workgroups established to address issues or
topics of interest:
◦ The HFHS Privacy & Security Council is an
oversight council that approves System policies
and procedures related to privacy & security
regulations
◦ The Code B Alert Team is a rapid-response
workgroup established to centrally respond and
manage all System data breaches
IPSO
◦ The Office for Civil Rights Response Team will
review all OCR data requests related to privacy
& security violations and respond on behalf of
the System and/or specific business unit
9

Worked with our partners is Supply Chain, Corporate Legal Affairs,
Accounts Payable and Physician Relations to create a framework that would
require additional sign-offs before IT Equipment can be purchased
◦ Policy/Process Revisions
◦ Policy Re-Education for Senior Staff & Mid-Level Providers
◦ System wide communication provided to all workforce members to raise
awareness

Senior Staff and Mid-Level Providers have been prohibited from purchasing
any IT equipment with their professional development accounts

Properly purchased IT equipment must be delivered to the Information
Technology Department to ensure proper security protocols are enforced

Accounts Payable will not reimburse for any equipment not “signed-off” by
the Information Privacy & Security Department
10
11

Reported this incident to the CEO, COO & Board again
◦ Compared the list of affected patients to see if we had any frequent
flyers…we did!
◦ Immediately called the COO and informed him that he will have the
pleasure of calling these patients directly.

Realized that we needed help and contacted an external breach response
partner that assisted in decreasing our response and notification time: 56
days to 18 days

Conducted a Root-Cause Analysis again to determine the program gaps

Reinforced again with the Executive Leadership that this is more “cultural”
than it is “procedural”
12
13

Code A(ssessment) Alerts
◦ Alerts issued by the Information Privacy & Security Office led by the
Chief Information Privacy & Security Officer
◦ Communication limited to the Information Privacy & Security Office,
Public Relations, Corporate Legal Affairs, Risk Finance & Insurance and
affected Business Unit Privacy and Security Champions
◦ Alert provides a summary and initial analysis of potential data breach
◦ Includes initial data analysis culminating in an official breach risk
assessment to determine if an actual breach has occurred
◦ Once a “Breach” has been called, the Code B Alert (Rapid Response)
Team assembles to respond to the breach
14

Code B(reach) Alerts
◦ Issued and managed by the Information Privacy & Security Office for all
media reportable data breaches or data breaches with significant risk
◦ Branded communication plan consistently utilized throughout the system
and managed corporately instead of at the business unit level
 External: Includes the notification to the prominent media outlets and
OCR
 Internal: Typically includes a copy of the communication to the
patients, FAQs about the breach and instructions for forwarding patient
inquiries to toll-free call center
◦ Requires immediate attention by all System leadership
and should be shared with staff
◦ All Code B Alerts are active for a 90 day period
15

Branded System wide program coordinated by the IPSO to safeguard
“system” information

Phase I: Targeted portable storage devices
◦ Required employees to visit one of 20 “IT staffed” stations to turn in all
personal flash drives for our approved IronKey solution; register any
portable hard drives or personal laptops for follow-up by IT
◦ Employees could enter a drawing for an iPad 2 by completing a
crossword puzzle based on our privacy & security policies
◦ Removed 5000 flash drives in 4 weeks

Phase II: Targeted “culture” through educational modules (97%)
Phase III: Focused on reducing our printer “unsecured” footprint
Phase IV: Targeted the culture again to reinforce HITECH/Omnibus (98%)
Phase V: BYOD & Mobile Device Management



16
17

Reported this incident to the CEO, COO & Board again
◦ Compared the list of affected patients to see if we had any frequent
flyers…we didn’t! Thank God!

Offered an internal reward of $5000 for the return of the device

Required the Research Administrator to co-sign the notification letter to the
affected patients

Conducted a Root-Cause Analysis again to determine the program gaps

Reinforced again with the Executive Leadership that this is more “cultural”
than it is “procedural” and communicated such to the all workforce
members
18
19
Our Workforce
• Morning Post Messages & System Emails – Scheduled to deliver key
privacy & security messages
• Annual Mandatory Education – iComply & Job Specific
• Privacy & Security refresher trainings conducted by the IPSO team
• Manager’s Update – Monthly email to all leaders detailing key messages
Our Board Members
• Quarterly privacy & security Board updates
• Annual submission to the Trustee newsletter
Our Patients & Communities
• “privateTALK” or “secureSPEAK” with the CIPSO – Scheduled chat
sessions where questions can be addressed in an online forum
• Intranet Webpage, Internet Webpage & Social Media Sites
20
Meredith R. Phillips, CHC, CHPC
Chief Information Privacy &
Security Officer
Henry Ford Health System
One Ford Place, Suite 2A10
Detroit, MI 48202
313-874-5168
cipso@hfhs.org
Twitter: @mphillipschc
21