Missing the Target of HIPAA

Universally when working with new clients, they tell me, “I can’t learn all these HIPAA regulations and requirements.  I don’t have the time or the desire to be an expert on HIPAA!”  My response is, “That is absolutely correct!  You shouldn’t be an expert on HIPAA; that is my job.  What you and all your staff should be is risk management proficient.” Most times that draws the deer-in-the-headlights stare.  Not much comfort is taken from my response.

Usually the conversation proceeds something like this:

"You are doing your required security risk assessment to identify all potential threats to your practice.  This includes:

  • Threats that can prevent you from delivering the right healthcare to your patients in a timely manner.
  • Identifying vulnerabilities that can result in the theft of patient data and your practice’s proprietary information.
  • Detecting and stopping malicious attacks designed to extort and steal your hard-earned money and severely hurt the value of your practice.

 

A wide range of complex and difficult threats to somehow control, but that is where risk management comes to the rescue."

Risk Management; it sounds intimidating, lofty, official and complex.  But you use risk management frequently, to get through the daily issues of life.  Your commute to work is a great example.  Getting to a downtown office is a challenge, but you have an established plan and process to arrive on time each morning.  You maintain your vehicle, eliminating vulnerabilities, to be reliable and keep you safe during the commute.  You monitor traffic via TV, radio or cellphone app.  Contingency routes are in place if there is a wreck on the freeway.  If the weather is bad, you leave earlier, or maybe work from home.  Processes and procedures you established to enable you to successfully meet your goal of getting to work.  You have identified the threats and are managing the risks.

This is the true target of HIPAA: to effectively identify and manage threats, vulnerabilities and risks that can negatively impact your practice and patients.  In simple terms, identify threats and take action to address those risks (threats).  By being risk management proficient, you are reducing your practice’s liabilities.

Additional blogs will follow on this topic in the coming weeks.

If you'd like more information on HIPAA compliance, risk assessments, or reducing the liabilities for your practice, contact us at: compliance@thirdrock.com

Ed Jones, PMP, CHSP
About the Author

Over 30 years of customer facing experience managing projects in healthcare, IT, process automation in a variety of tech industries, Ed has worked for start-ups to Fortune 100 companies. He has performed numerous complex and extensive risk assessments, and developed and managed the corresponding risk management strategies.

%d bloggers like this: