Kristin Kenney ventured into the legal world after a successful career as an entrepreneur and business manager. Today, she leverages that frontline business insight as the technology, privacy, and cybersecurity legal counsel for HCA Healthcare, a Fortune 100 company, working with every single division of the multibillion-dollar medical facility network. “Having a partnership with the business is about really being able to listen to what’s working and what’s not—and then figuring out how to fix it,” Kenney says. “That means listening to everyone—from the executives to the business operators who actually run the facilities and divisions—and understanding what their needs and frustrations are.”
Equipped with a JD in business and entrepreneurial law from the University of Missouri – Kansas City, Kenney previously worked with a variety of new and emerging-growth companies during her years as an associate attorney at Polsinelli, helping start-ups from the early stages of formation through their full growth cycle. She developed an interest in HCA’s work in particular when the healthcare provider—comprising 178 hospitals and 1,800 sites in 20 states and the United Kingdom—became one of her clients.
When HCA approached her in 2014 to join the team full-time, she jumped at the opportunity. “It was a new challenge,” she says. “HCA has an incredible team of technologists and security resources. It’s an organization that really does good in the world. What I enjoy most about in-house practice is the ability to build meaningful partnerships with my business teams, which helps me understand their goals and provide creative solutions from there.”
Part of building partnerships as in-house legal counsel requires fixing legal processes that aren’t working. Kenney’s initial project involved streamlining HCA’s information-security program, which had previously operated on a more-than-six-month negotiation timeline, at significant impact to the sales cycle, causing frustration among vendors and internal business owners. “As a healthcare company, ultimately we want to do what’s best for our patients,” Kenney explains. “And this was a pain point, because our diligence in IT security involved a significant time and often legal expense.”
To address this issue, Kenney worked with the business team to streamline the ISA template from its original forty pages into a mere ten-page document, and she developed playbooks and training programs. This resulted in a nearly 70 percent reduction in internal and external time spent on related processes, and it shortened the negotiation timeline to fifty days.
Kenney also streamlined all IT and IP contracting work at the facility and division level. After meeting with various stakeholders to understand their frustrations with the existing processes, she identified and lead the implementation of a solution. She developed a short rider that addressed high-risk concerns such as data ownership and security, representations and warranties, indemnity, limitation of liability, and regulatory issues. It empowered the business to move forward with no legal review if the rider was signed by the vendor without changes. If changes were required, Kenney implemented an abbreviated legal review focused solely on high-risk issues. This reduced the master-agreement review timeline from six months to two weeks and cut legal spending from an average of $30,000 per agreement to about $750. “This has been a huge improvement on how we handle risk related to field operations,” Kenney says. “It has enabled our hospital operators to continue providing the best patient care possible while ensuring that HCA’s risks are protected.”
More recently, Kenney has found herself working closely with business units across the company on a new challenge: compliance with the European Union’s (EU) General Data Protection Regulation (GDPR). “GDPR is really different from American privacy laws, and it’s also a major change from what the EU had in place to begin with,” Kenney says, adding that it was important to navigate the new rules both within the US and within HCA’s UK division. “That made it key to make sure that everyone was on the same page and working toward the same goal.”
Kenney worked with information protection, security, and a number of other departments to break down the company’s compliance needs. Together, they identified starting points and high-priority issues and determined how to tackle them all as a single project. The effort allowed the company to implement new policies and procedures in place in time to meet a tight deadline for compliance.
As a technology attorney for HCA, Kenney also oversees technology transactions, cybersecurity, privacy, and operations as the company’s needs evolve. She manages contract negotiation and serves as a point person for escalations while collaborating with strategic teams to ensure HCA’s data is closely safeguarded. Much of her work has been at the enterprise level, particularly her work on internal and external product development. And, she has also assisted with the development of an internal product, including the related policy and training, that helps identify and safeguard sensitive patient and company data.
Kenney’s achievements have come largely by lending an ear to all facets of the enterprise. “It’s important to understand your business team’s goals and frustrations to support them,” she says. “And it’s important to understand what a particular product does and how we’re planning to use it, which means that you really need to ask the right questions. Taking the time to do that helps ensure that you have a full picture of what’s happening and are providing solid counsel.”
A champion of both law and business, Kenney says she has loved learning about HCA by taking a comprehensive approach. “Working in-house gives you a different perspective of legal practice,” Kenney says. “Having a good relationship with your business team and building mutual trust enables you to have a great partnership.”
“As outside technology and privacy counsel for HCA, it is a real pleasure to work with Kristin. She understands operating in the difficult and fast-paced healthcare technology industry, and Kristin is always clear and decisive in her decision-making.”
—Gregory Kratofil, Jr., Tech Transactions & Data Privacy Chair