Alanna J. Kroeker
Loyola University Chicago School of Law, JD 2017
Ali Gross is currently a Senior Privacy Analyst at University of California Los Angeles Health (UCLA). Ms. Gross is a 2015 Loyola University Chicago School of Law Graduate where she also completed a health law certificate. Ms. Gross knew she wanted to live in California after graduation from Loyola so she spent her summers working in Los Angeles and networking with Loyola graduates and professors with ties to California. Ms. Gross was introduced to Marti Arvin, online professor at Loyola and then Chief Compliance Officer at UCLA, through her professor, Ryan Meade. She applied for a position in the privacy office at UCLA and interviewed with Ms. Arvin, which eventually led to her current position. Ms. Gross says that having the health law experience through Loyola prepared her for both the interview and ultimately her job with UCLA. The following is an interview with Ms. Gross where she gives an inside look into her daily life as a compliance professional.
Q. Briefly explain the structure of your compliance office at UCLA and any aspects that may be unique to UCLA.
The office is broken down into specialties. We have the following focus areas: (1) physician and hospital billing, (2) research, (3) privacy, and (4) information security. UCLA Health has a very unique patient population in Los Angeles, which makes our privacy work very interesting. We have to consider additional privacy and information security safeguards to protect our patients’ information. Along those same lines, it is my understanding that information security does not always sit within the compliance program. However, I could not imagine doing our privacy work without the help of our information security team. My info sec. teammates assist me in implementing technical safeguards on the electronic health record when needed and they help me tremendously in analyzing how to transfer data in and out of the institution in a secure manner.
Q. What does a typical day look like for you? What are your responsibilities within the office?
My day is primarily focused in privacy. In a given day, I might:
- Respond to a concern about a privacy breach, which may come in from a patient or a workforce member who saw or witnessed an inappropriate use, access, or disclosure. A response may include analyzing an audit of a patient’s record, querying managers in various departments around the health system, interviewing workforce members to how and why a use, access, or disclosure occurred, drafting notices to federal and state regulators if a breach occurred, drafting notices to patient(s) if a breach occurred, working with senior leadership to implement corrective action for a breach, and oftentimes, provide department-specific education and training on regulatory requirements to mitigate future harm.
- Negotiate Business Associate Agreements, which are contracts put in place with non-UCLA business partners, who have access to our protected health information.
- Respond to department-specific requests for advice to proactively manage privacy concerns. It is our goal to have the departments come to compliance to request interpretation or analysis of regulatory requirements and assist in operationalizing those requirements. If we have the right safeguards in place, we focus less on being reactive or “putting out fires” every day.
Q. What are the most frequent compliance/ethics issues that your office deals with? What are some of the biggest issues facing the industry as a whole?
Right now in privacy, the most frequent issues are the investigations of inappropriate accesses, uses, and disclosures of protected health information. We are also constantly working on better understanding the intersection of human research and privacy. There are some gray areas in the law, which require careful thought and analysis. As an academic medical center and large research institution, this is really important to our office.
Right now, the industry seems to be focusing on OCR Phase 2 Audits. OCR is conducting its second phase of covered entity audits and in this phase, covered entities and business associates are required to have updated policies and procedures. Also, OCR seems to be focusing on the protection of electronic Protected Health Information (ePHI). There have been multiple OCR investigations, and ultimately fines (in the millions of dollars) for organizations that have failed to encrypt and safeguard their ePHI. From a privacy and information security standpoint, we focus very heavily on encryption and technical safeguards.
Q. What skills do you think are imperative to be successful in the role of a compliance officer?
To be successful in compliance – I think you have to be interested in health care first of all. You will work alongside the brightest people in the delivery of health care and you have to understand what it is they do and how they do it, in order to understand how to implement the regulations. This requires a lot of long chats with health care gurus and a willingness to learn.
Q. Has there been anything that surprised you about working in compliance? Or that you didn’t expect when you began your compliance career?
Every organization is incredibly different. There is no one size fits all. Not every organization implements the “7 elements of compliance” in the same way. So, I think going into it with an open mind and flexibility is key. But also, use your legal background and analysis to perform the “smell test.” If it doesn’t smell right or sit well with you based on your interpretation of the law – something is probably wrong. Follow that intuition.
Q. One piece of advice for those interested in pursuing a compliance profession?
The compliance world is very small and there are so many people willing to help. Generally, in law school, all we ever heard was network with lawyers. But the health care compliance community is very embracing of health care lawyers who are interested in better understanding what a compliance professional does every day. Don’t be afraid to ask someone to coffee and ask questions.