HIPAA-deniers, It is no longer business as normal
Mike Semel has written some very insightful articles on HIPAA and has turned some catchy phrases in an otherwise pretty dull subject. In his recent article, HIPAA Business Associate Avoidance and Google Update, we so enjoyed the phrase “To all of you HIPAA-deniers, you can run but you can’t hide. You are a HIPAA Business Associate no matter what you say” as well as the examples Mike provided that we had to post it here and comment on these HIPAA-deniers as well.
This is probably because we have suffered through these conversations with HIPAA-deniers (both Covered Entities and Business Associates) as well:
- providing specific text from the HIPAA Omnibus to web hosting companies that knowingly (or uncaringly) store Protected Health Information on servers that are crammed with 100’s of shared accounts,
- explaining to a physician’s office that a stack of backup tapes reaching over two feet high on top their server was not a good idea,
- listening to countless providers write or tell us that they are “willing to take the risk” or that they play to “close up shop” because of HIPAA,
- learning from attorneys, CPAs, billing companies, and others the value of their services to healthcare… and also that their laptops are not encrypted,
- deciphering from Complementary and Alternative Medicine providers how they are healthcare providers (some even licensed by the State) but aren’t subject to HIPAA because they “don’t have any real data” or it isn’t a “full-time job”,
- engaging with “experts” who have never read the HIPAA Omnibus,
- hearing numerous schemes to avoid being covered by HIPAA… usually a provider who wants to be entirely paper-based.
How can HealthCare Too Help the HIPAA-deniers?
Some of the members of HealthCare Too come from the manufacturing side of healthcare that is subject to FDA regulation and have seen rigor that makes HIPAA pale by comparison (despite protests by HIPAA-deniers to the contrary)… truckloads of documentation (sometimes quite literally), onerous Change Management processes, annual training, update training, Curriculum Vitae updates, and so much more. These FDA practices may be too much or perhaps even not enough rigor but (with some exceptions) these processes do not even deal with Protected Health Information that may ruin a person’s life if not properly safeguarded. That data resides primarily on unencrypted laptops, random and wayward USB drives, unattended backup tapes, $3.95/month shared hosting accounts, and various free email and cloud services… a fact that may well be overlooked by HIPAA-deniers. For those who are simply still confused about the new role of Business Associates but want to do the “right thing”, feel free to read our white paper HIPAA and Business Associates: Tempest in a Teapot or Perfect Storm?
Honestly, HIPAA is just common-sense and best practices for those who bother to read and understand it. Of the 42 HIPAA Security Rule Implementation Standards, take a quick look at a few of them and what is asked vs what the alternative might be. We are certain most organizations that are committed to patient safety and care will find the benefit of HIPAA safeguards:
|Risk Analysis (R)||Understand external and internal risks to practice or business in order to correct or prepare.||Unexpected problems and no course of action to deal with them?|
|Risk Management (R)||Security measures in place to address risks to patient data.||Leave patient data open to risks?|
|Sanction Policy (R)||Clearly defined expected behavior & consequences for employees concerning use of patient data.||Ill-defined employee obligations , staff confusion, wrongful terminations?|
|Information System Activity Review (R)||Scheduled review of systems to look for errors, incidents, trends, etc.||No idea if there are errors, incidents, hacking, capacity limits, etc.|
|Assigned Security Responsibility (R)||An authoritative source, known in advance, who can lead efforts to protect patient data.||No one person who is responsible for watching over patient data, allowing for multiple interpretations or implementations of policies. This likely requires more time from owner or senior management to deal with the confusion.|