Today I was lucky to finally have a long lunch with Mike Semel from Semel Consulting. Ironically, Mike has a home in Las Vegas, but with all of his travel, we’d never had a chance to meet until today. However, we’ve exchanged a lot of emails over the years as he regularly responds to my blog posts. As Mike told me, “It feels like I’ve known you for a long time.” That’s the power of social media in action.
At lunch we covered a lot of ground. Mostly related to HIPAA security and compliance. As I try to process everything we discussed, the thing that stands out most to me is the just enough culture of HIPAA compliance that exists in healthcare. I’ve seen this over and over again and many of the stories Mike shared with me confirm this as well. Many healthcare organizations are doing just enough to get by when it comes to HIPAA compliance.
You might frame this as the “ignorance is bliss” mentality. In fact, I’m not sure if it’s even fair to say that healthcare organizations are doing just enough to comply with HIPAA. Most healthcare organizations are doing just enough to make their conscience feel good about their HIPAA compliance. People like to talk about Steve Jobs “reality distortion field” where he would distort reality in order to accomplish something. I think many in healthcare try and distort the realities of HIPAA compliance so they can sleep good at night and not worry about the consequences that could come upon them.
Ever since HIPAA ombnibus, business associates have to be HIPAA compliant as well. Unfortunately, many of these business associates have their own “reality distortion field” where they tell themselves that their organization doesn’t have to be HIPAA compliant. I don’t see this ending well for many business associates who have a breach.
The solution is not that difficult, but does take some effort and commitment on the part of the organization. The key question shouldn’t be if you’re HIPAA compliant or not. Instead you should focus on creating a culture of security and privacy. Once you do that, the compliance part is so much easier. Those organizations that continue this “just enough” culture of HIPAA compliance are walking a very thin rope. Don’t be surprised when it snaps.
Amen. As Rita Bowen from HealthPort says, “it’s time we moved from just “check the box” HIPAA compliance to to true privacy and security ethics.”
We always knew when software vendors were building HIT applications to meet the minimum requirement and rewarding providers on just meeting the minimum that we were killing competition and innovation. Same thing applies to HIPAA.
We now have industry sodden mess of mediocrity at the top.
Most are not doing just enough…they aren’t doing nearly enough.
When it comes to meaningful use, I instruct practices to exceed the mins by changing their processes. This also helps give them a buffer just in case something gets goofed up.
YET – nobody likes this (except getting a check), minimum levels are set, so really, what do we expect?
Just enough in HIPAA compliance is actually a fair amount, yet again, as most despise this “thing” being pushed on them, there is an attitude of resistance.
You should also know this that government is introducing phase 2 of the HIPAA audit and it will be random so anyone’s turn can come first. There is a amount of $100 for violating the HIPAA compliance not knowingly and a #50,000 for intentionally violating it