Overwhelmed by HIPAA? Compliance is a Process, Not an Event

Like most major change initiatives, HIPAA compliance doesn’t happen in a day. It requires change by every person in the organization.

Everyone who touches PHI (protected health information) must develop new work habits to keep PHI secure…Staff who answer phones, schedule appointments, and check patients in have to maintain patient confidentiality in very public work stations…IT staff must implement new technical safeguards and continually monitor systems…Managers must learn the new roles of Privacy Officer and/or Security Officer…Senior Executives, HR, and IT need to collaborate on developing and implementing new policies and procedures for controlling access to PHI…Secure emailing and texting applications must be implemented…Maintenance finds themselves busy installing new locks, privacy screens…Training must be updated…Outdated policies and procedures replaced…

The list goes on, and this is just for HIPAA. Healthcare managers are still working on achieving the goals of Meaningful Use; learning about and striving to comply with MACRA; and dealing with an ever-changing insurance landscape. It’s no wonder Practice Managers and Compliance Officers tell us they feel overwhelmed!

Feeling overwhelmed is perfectly normal – and horribly unproductive. Overwhelmed managers tend to either procrastinate (“Ignore it, and maybe it will go away”) or exhaust themselves with frantic, unproductive busy-ness. Neither approach moves them any closer to HIPAA compliance. So what to do?

  • Relax. HIPAA compliance is important, not just for regulatory reasons but also to protect your patients’ PHI and your organization’s financial viability, but panicking doesn’t help. Take a deep breath.
  • Train staff. If you haven’t trained your staff on the new security requirements that went into effect in 2013, do that first. Staff members serve as a “human firewall,” protecting PHI and alerting management at the first sign of anything suspicious. Well-trained staff can help protect the organization while other measures are being implemented.
  • Implement basic IT security measures. Many of the basic security measures involve no additional cost. Your organization probably already has a firewall installed – make sure it is turned on. Microsoft and other software vendors routinely distribute “updates” that include security patches – install all vendor updates. See our earlier posts - Cybersecurity: Have you hardened your systems? and Best Defense Against Ransomware is a Good Backup – for other steps your IT group can take immediately.
  • Conduct a Security Risk Assessment. If you haven’t completed a Security Risk Assessment (SRA), do that now. If you don’t know how, hire someone to do it for you. An SRA will identify your organization’s particular vulnerabilities and the risk associated with each.
  • Prioritize. The Security Risk Assessment will result in a lengthy list of vulnerabilities, typically ranked high, medium, and low in terms of the risk associated with each vulnerability. Don’t try to do everything at once. Address the highest risk issues first.
  • Implement Policies & Procedures. You may be surprised to see “Lack of a policy and procedures for 'xyz'" in the “high risk” list.  A P&P alone won’t protect your organization but is the first step in making security practices part of the organization’s standard operating procedures. It’s also not enough to just write or purchase a P&P that gathers dust in a binder. The OCR wants to see evidence that steps have been taken to implement each P&P.
  • Keep going! HIPAA may seem onerous, but its primary aim is to protect patients’ PHI and, in turn, the patients’ and organizations’ financial viability. Both technology and the threats to PHI continue to evolve, so your organization’s HIPAA compliance must also evolve. “HIPAA Compliance” isn’t a destination to be reached – it’s a continuous risk management journey.


Good luck! If you have questions about HIPAA, including how to conduct a Security Risk Assessment or how to best remediate identified risks, contact us: info@thirdrock.com; 512.310.0020.

Julie Rennecker, PhD, BSN
About the Author

Julie Rennecker, BSN, PhD is an organizational development consultant specializing in the people and process challenges related to healthcare technology change. With 10 years bedside clinical experience (ICU, ER, behavioral health), a PhD in Organizational Behavior from MIT’s Sloan School of Management, five years on the Information Systems faculty at Case Western Reserve University, and more than 15 years’ research and consulting experience, she brings a unique synthesis of clinical, academic, and industry experience to bear on client problems and opportunities. She holds a Certificate in Health IT and Health Information Exchange from the University of Texas and is a credentialed EpicCare Ambulatory trainer.

%d bloggers like this: