Fear of HIPAA Audits Despite 0.002% Chance

Posted on May 19, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anyone that has worked in healthcare has the palpable fear of the word HIPAA. Any time the word’s mentioned, I have this visceral emotion shoot threw my body. I’m sure it’s the same for many people. HIPAA is like the nasty word that no one can argue with. Just say something is a HIPAA violation and no one can argue with you (assuming you’re right).

In the clinics I’ve worked in, there really is a desire to try and follow the HIPAA rules as best as possible. They all hate it, but they all try in good faith to follow the HIPAA rules. They likely do this because of fear of the dreaded HIPAA audit. Check out this interesting comment made on a previous post I did which puts the HIPAA audit in a new light:

Same goes for the HIPAA rules. We all spend so much effort and time to comply, yet the handful of cases arise when a disgrunted, recently fired employee becomes a whistleblower to screw their past boss and “tells all” to the feds who then pounce on the poor unsuspecting doctor to showcase their enforcement muscle. I’ve heard of anecdotal cases s.a. this, but I have never actually seen an office raided for an HIPAA violation or a major article on the subject in my medical journal reading. Considering that, if say, there are a dozen cases, then 12/780000 practicing doctors, my chances of an HIPAA audit are about 0.002%.

It’s a crazy world we live in. I agree that the risk of a HIPAA audit is pretty small and I think most people acknowledge this internally. Yet, people are afraid to say this publicly, because it sends a message that they don’t care about patient privacy. I think most clinics go through this amazing internal conflict. Basically, they want to support patient privacy, but they also don’t want HIPAA to get in the way of caring for patients and running their business.

The solution I believe most clinics employ: If I don’t talk or acknowledge it, then I don’t have to worry about it. Basically, ignorance is bliss. So, they address any privacy issues that come out and they try to maintain privacy generally, but few of them take it head on and make sure that they are HIPAA compliant. Should they? There’s only a 0.002% chance they’ll have a HIPAA audit.

Note 1: Hospitals are different than clinics. There’s other issues related to HIPAA at hospitals.

Note 2: See, I do occasionally write about HIPAA. That’s why this website is named EMR and HIPAA. Every 6 months is about right, no?

Note 3: Patient Privacy is very important to me, so this post isn’t meant as an excuse for people to not protect their patients’ privacy. It is an attempt to discuss openly what I think is really happening with HIPAA in clinics.