A few years ago, I approached a compliance officer at a hospital to get his take on what seemed a confounding question: Why do so many acclaimed health systems pay fines for breaching patient privacy, often for careless lapses, such as a laptop snatched from an unlocked car?
Surely these organizations have policies drafted by the best lawyers.
This compliance officer, a veteran of privacy regulation, replied matter-of-factly: “Oh, they have policies but they don’t stick.’’
Still today, six years after the overhaul of the Health Information Portability and Accountability Act (HIPAA), accountability for HIPAA itself remains a challenge. Policies may be on file, but they mean nothing until daily activities align with the goal of keeping private health information a secret to all except those who need to know.
If there is reason for the earth to shake beneath privacy and security offices across healthcare, it is right now as a recent spate of indicators point to a widespread, insufficient compliance with HIPAA.
In March, a panel of chief security officers at the 2019 HIPAA Summit called for compliance managers to move beyond the mindset of HIPAA security as a mere checklist, when requirements call for a detailed, enterprise-wide approach.
Findings of a 2019 Healthcare Compliance Benchmark Report by SAIGlobal reinforce the panel’s concern. Among survey respondents, half indicated the use of a self-assessment tool or checklist to evaluate their compliance programs, while 19% didn’t assessment their compliance programs.
Similarly, a recent landmark study by health industry leaders framed its goal as “moving the needle” on basic security protections — likened in the report to the simple use of hand sanitizers to prevent the spread of germs.
Indeed, privacy protections are about prevention.
Imagine this scenario as an example: Jenny in the purchasing office receives an email appearing to come from Sally, a colleague on another floor. From Jenny’s training, she knows that hackers can operate under identities stolen from within an organization. Jenny becomes suspicious, because Sally would have no reason to email her. Instead of opening the email, Jenny follows procedures that have been posted in her department to notify IT and stop activity on her computer until the source of the email can be checked.
Jenny’s actions in this case illustrate the achievement of a culture of vigilance. She knows to be on guard to protect against potential intrusions and just as importantly, she knows what to do in the event of suspicious activity. This can only occur when high expectations, set by leadership, result in training and smart practices that become second nature.
Think of it this way: Do you put a baby in a car seat exclusively because it is the law?
Of course not. You do it to protect the child. You couldn’t imagine not doing it.
Similarly, the benchmark of success in securing private information is when the Jennys of your organization wouldn’t think to open a suspect email, or leave sensitive downloads on their screens, or talk to their friends about patients. They’ve taken ownership of their responsibility to protect secrets entrusted to them.
In such a world, daily procedures align naturally with policy expectations — less because of rules and more because of shared values that uphold confidentiality as a bond of trust. Within this mindset, there is sensitivity to the potential harm to people’s lives when private information gets out. Think about unwanted paternity results, or the impact of chronic disease. Such things could tear apart relationships or derail careers.
Once confidentiality is understood in these terms, HIPAA simply becomes a means to a much desired end. Policies stick because trusted partners — like your organization — intentionally keep secrets.
Diane Evans is Publisher for MyHIPAA Guide, a HIPAA consultancy and subscription service, and she can be reached at firstname.lastname@example.org. To learn more about HIPAA implementation visit here.