Why I hate HIPAA

Hello. My name is Brian Largent. And this is another episode of Three Minute Thursday. Today, I’m going to be talking about why I hate HIPAA. Now there are a lot of reasons to dislike HIPAA, government overreach, and oppressive regulation. Whatever your reason for disliking it, I think you’ll find that my reasons for disliking it are a little different, especially since my company focuses on helping your organization become HIPAA compliant. So let me dive in. I’ll hopefully be able to explain what I’m talking about.

When I talk to companies, one of the first things that usually comes up is that they want to avoid fines and penalties. Well, the best way to do that is to be very, very selfish in the way you look at medical records. First of all, you are a patient, you’re a consumer of healthcare, which means you have medical records yourself. How do you want other organizations to handle those medical records for you? Do you want them to be lackadaisical about it? Let them sit out on open servers, no antivirus, no protection in place where they could fall into the wrong hands? Or do you want organizations to secure those properly, meeting some form of standard? I don’t know, maybe HIPAA.

And if that makes sense to you, then you should shift from wanting to prevent fines and penalties to protecting patient records. Don’t worry about the penalties, they won’t happen if you take care of your patient records, and you follow the standard put down by the federal government. Here are a few of my observations. When I go to a potential client, and they’ve already got antivirus in place, and they’ve got a password policy and a screen lock timer, all the basic building blocks of a secure environment. If those already exist, it’s very easy for them to understand the last little pieces need to be done, and it’s also cost effective for them to do these.

But when I visit a client that does not have any security in place, they are using consumer grade hardware. They’re not patching their operating systems. They don’t have screen lock timers. They’re missing all the basic building blocks. Then it’s going to be considerably more expensive to get them in compliance, which is when I start hearing the excuses such as:

Number one

It’s too expensive.

Number two

They signed a release. I have my patient sign a form that protects me from HIPAA. It doesn’t really work that way, but okay.

Number three

Nobody I know worries about it, and when a practice I’m familiar with gets a fine, I’ll start to care. Okay, I’m going to stop right there because what you’re telling me is that you and Mr. Peabody are going to hop in the way back machine and go all the way back to 1996 or maybe 2013. And you’re going to decide at that point, how to calculate all the different assets you’ve disposed of, account for them, and then put them into a port, showing that you’ve been in compliance all the way back in time. It doesn’t work that way. There are no statute limitations to HIPAA compliance.

Number four

I’m insured from negligence. Well, that’s not how potential clients usually tell me that, but they’ll use a lot more words. Ultimately, what it comes down to is they’re saying, “I’m insured from not being in compliance with federal regulation if a breach occurs.” I would actually go to your insurance broker and ask them if you’re not following or in compliance with HIPAA regulation and a breach occurs, are you going to be covered?

Number five

It’s not a real issue. I was told by a “insert name of attorney, public speaker, journalist, coworker, colleague, etc.”, that HIPAA is not a big deal, which is entirely true if you leave your credit cards laying around in parking lots, and you don’t mind having your healthcare records laying around on unsecured servers.

So why I hate HIPAA, is because it’s very difficult to get rational, reasonable people to understand that their own medical records are also jeopardized when they don’t secure them within their organization. If we all really understood the ramifications of stolen medical records, we’d do more to protect them. Well, that’s all I’ve got for today. My name is Brian Largent. This has been another Three Minute Thursday. Have a wonderful rest of your week.