Health Insurance Portability and Accountability Act (HIPAA) compliance hasn’t been what I thought it was going to be. When I first started out as an independent security consultant, I was giddy over the business opportunities that I just knew HIPAA compliance was going to bring. Around that time, I learned something from sales expert, Jeffrey Gitomer, that has had a profound impact on my career. He said that if you work for yourself and are in sales, which I am, that you must write and speak if you want to be known and build credibility. Taking Jeffrey’s advice, I chose to write a book on HIPAA compliance. Dubbed The Practical Guide to HIPAA Privacy and Security Compliance, I was doubly-confident that co-writing this book with my colleague, Becky Herold, was going to be my ticket into the HIPAA compliance space.
Boy, was I mistaken. Not because of the book but because of the healthcare industry as a whole. I’ve done a lot of HIPAA security-related work over the past decade and a half, especially for HIPAA business associates and their subcontractors. However, I have found that, by and large, traditional HIPAA covered entities still struggle with not only the details of the HIPAA Security Rule and its follow-on HITECH Act and Omnibus Rule but also the spirit of what it’s all trying to accomplish. I have found this to be especially true with hospitals and clinics. I have often experienced that decision-makers aren’t able to (or perhaps just don’t want to) spend the money necessary to do security well, or even do it at all.
It’s fascinating how many HIPAA-covered entities often talk the HIPAA talk but rarely walk the walk. If anything, attention is paid to the HIPAA Privacy Rule and its requirements. We’ve all signed those documents at doctor’s offices stating that we’ve received and read their Notice of Privacy Practices, which ironically they often don’t give you. This culture and approach to security (and business) is reflected in many of the data breaches we hear about regularly—and those are just the known breaches. I suspect the unknown ones substantially outnumber the known. Even with all the covered entities who get hit, many of them somehow stay out of trouble. It’s luck I suppose. Still, it’s a numbers game that will ultimately play itself out.
Digging in further, I see so many assumptions and myths regarding HIPAA Security Rule Compliance. These include:
- Compliance equals security. It never has and it never will, but the assumption continues to perpetuate. Instead, it’s the other way around: security equals compliance.
- Business associates and their subcontractors, including EHR/EMR product vendors, are responsible for securing PHI. They’re part of the equation, but they’re not solely responsible. HIPAA compliance does not come in a box.
- Self-assessment audits around involving HIPAA’s security requirements will uncover all of the gaps. These checklists, which are often carried out by healthcare professionals rather than IT/security professionals, are not unlike security specialists providing healthcare advice to patients. It’s not the ideal scenario.
- Paperwork (documented security policies) will prevent an incident or breach. No way. Vulnerable systems, processes, and people get hacked, not policies.
Overlooking these areas not only facilitates security incidents and breaches, but also can mean a violation of federal law. Sometimes, though, that doesn’t seem to be enough motivation.
In many ways, I don’t envy healthcare professionals trying to carry out their services. Security can get in the way of business, especially when it’s poorly designed or implemented. Many security controls are rushed into place to check a box in a way that undermines IT and security staff’s ability to think things through. Expediency is the approach, with compliance (rather than security) as the end goal. If these challenges are to be addressed and true security integrated into healthcare, it must start with management. HIPAA compliance and common-sense security is a cultural issue that has to be addressed at the highest levels of the business. I know firsthand that these are difficult issues to resolve. As a consumer and patient in this industry, I remain hopeful.
What’s needed beyond a culture shift is measured discipline: periodic and consistent security oversight that improves over time. Some people think more regulation is the answer, but I disagree. If people are ignoring existing laws, they’ll also ignore additional laws, and we’ll all end up with more bureaucracy, higher business expenses, and less freedom. Reasonable security doesn’t have to be that way.