HIPAA_compliance_tampa_lakeland_datacorps_technology_solutions

Keeping Electronic Health Records safe has never been tougher, or more important.

It has never been a more legally demanding time to be in the business of protecting medical data. According to studies, the healthcare industry has an inadequate security culture and displays one of the lowest rates of data encryption. Employee education is poor and it leads to mistakes that are costly and compromise patient data regularly. Targeting a healthcare organization is as easy as the proverbial "shooting fish in a barrel."

The most recent evidence comes from two sources: Protenus, a company designed to protect electronic health records, and IBM Managed Security Services. These conclusions have also been backed up by security firm Sophos.

It's one thing when the insiders are malicious. Training, management, and proper hiring can help defend against these things. But the data indicates that the overwhelming majority of the risk is coming from well-meaning but ignorant staff who are just trying to do their jobs.  It is lack of training, a virtually non-existent security culture, and lack of knowledge.

And it gets worse.

In a recent interaction with a software vendor on behalf of one of our local Tampa healthcare clients, we forced the vendor to follow our rigorous security standards for introducing a new system into a healthcare network. Their response: "No other clinic has required this of us."

Folks, this was a MAJOR healthcare software vendor!

So, what does a small clinic need to do to be HIPAA compliant with their technology?

How are we getting this so wrong? Here are my thoughts:

  1. The HIPAA and HITECH laws are incredibly complex and difficult for the average office manager to digest, apply, and train on without external assistance. We've seen this around Tampa time and again.
  2. The external assistance often comes by way of a "HIPAA in a box" vendor, many times their IT vendor, who without knowledge may be practicing law without a license. Be wary of anyone who offers legal advice and is NOT an attorney specializing in technology and HIPAA issues.
  3. Too many people who don't know enough about HIPAA have positioned themselves as experts and have overwhelmed and saturated the consumer of HIPAA compliance solutions. Check credentials!

How do we begin to turn this around?

  1. Hire an attorney to manage the process of compliance. It's worth every penny since, in essence, when you write your policies and procedures you are writing law for your clinic to follow. Without real legal expertise this is obviously dangerous.
  2. Know your risks - you must assess your risk regularly, or have an expert do it for you. Once is not enough.
  3. Learn and follow best practices - this is an ongoing process, again, not just something you do once.
  4. Know where your data is and control it - if you don't know where your sensitive data lies, you won't be able to protect it.
  5. Educate, Educate, EDUCATE!!! - it can be a simple as signing up for our weekly tips to get the pump primed. Hold regular lunch and learns to discuss the proper use of computers, e-mail, and handling of PHI. Your staff is your most vulnerable spot for data breaches and legal troubles so it is absolutely worth the time and effort to strengthen that area with regular training.

Finally, HIPAA and HITECH compliance is NOT the goal - protection of privacy is!