One of the common themes I see and hear when working with covered entities is an attitude of “reluctant obedience” when it comes to HIPAA Security Rule compliance. And I get it. There are so many regulations from various government agencies to comply with, it can really make your head swim. But, after spending years working with it, I see the HIPAA Security Rule a bit differently.
While other regulations often tie you down with red tape that adds little to no value to your business, the HIPAA Security Rule (HSR) actually provides value to your business. When you get right down to it, the HSR really only requires that you take control of your computer network the way you should want to anyway. The HSR wants you to stop shooting from the hip and exercise true governance over your most precious business asset - your data.
Specifically, the HSR focuses on data that is defined as electronic protected health information (ePHI). But guess what also resides on the same network that houses your ePHI? Yep, your accounting and financial data, your operational data such as HR and marketing, and likely tons of loose-leaf spreadsheets and other documents that represent thousands of man-hours of work by your staff. When you take measures to secure your ePHI, you most likely will also be securing all your other business data. That’s just one side benefit.
But let’s back up for a moment and stay above the weeds. Too many companies look at their computers, and IT in general, as a necessary annoyance. So, there is rarely a plan for what will be put into place or how it will be managed. It just sort of happens as an afterthought. It often goes something like, “Oh, I guess we will need a new server for that software? Ok, what will that cost?” As a businesses grows, the network becomes more complex with many pieces and parts that must work together, but with little forethought and planning. The result is complexity mixed with poor control. Multiplied by time, this produces chaos in the form of dysfunctional business operations, disruption and downtime, low employee morale, dissatisfied customers/patients, data loss and even data compromised by external entities. So, where does the HSR fit in? I’m glad you asked.
Contrary to the wishes of many, the HSR is not a checklist. Thank goodness it’s not. It’s not even a true framework. I’d call it solid guidance on how to begin taking your data and network seriously. What it really requires is that you take the time to:
- identify where ePHI lives,
- genuinely assess the risks that threaten ePHI,
- implement safeguards to reduce or eliminate the risks to ePHI,
- actively control access to ePHI through business process and technical controls,
- establish policies and procedures and make sure your people understand and follow them,
- regularly review and evaluate to ensure that you are doing what you say with regards to ePHI, and
- make changes as necessary to preempt or react to your changing business environment.
In a nutshell…do your I.T. on purpose.
Now, replace “ePHI” in that list with “all of my business data” and tell me those are bad ideas.
It’s not 1994 and we’re not using computers as a luxury anymore. They’re not VCR’s or PlayStations. They are an integral element of every successful business. Unmanaged, they will eventually be the bane of your existence. Wielded with decision-driven care, they can elevate your game. Yes, your information technology can even be a competitive advantage…especially if your competitors view it as an afterthought.
If you’re a covered entity or a business associate, I challenge you to take a new look at the HIPAA Security Rule. Go beyond mere compliance and put your business in the best position to win, financially and otherwise.