In my years working with 'Covered Entities' (or clients who fall under the HIPAA 'umbrella' of compliance), I have met hundreds of people who should know how HIPAA Security impacts them, but they just don't get it.  Usually, after talking to someone for a few minutes, I can tell what 'level' the person is on when it comes to their understanding of the HIPAA Security rule.  In all of my conversations, I can honestly say that I don't think I've ever talked to a medical practice manager, security officer or HIPAA compliance manager that completely understands the Security rule.

Now don't get me wrong…I know you're out there.  I know there are many who grasp all the details of the rule, I just haven't had the luxury of meeting you, yet.  But, the fact that there seem to be so few of you tells me is that there is a ton of false information out there about what HIPAA Security really is and, probably more importantly, what it isn't.

I was thinking about this the other day and it made me wonder:  Why is HIPAA Security so hard to understand?  It seems easy enough, so why are our clients (and others), just not getting it?  Well, I think I can break it down into 4 categories:

      1. You haven't read the Security Rule

If you've not read the entire Security Rule, you should.  I know, I know, it reads like a bad set of bicycle assembly instructions, but you can do it!  Take the time you need to go through the entire thing. Even if you don't understand all of it, the concepts are there and it will help you understand SOME of it!  The Government even helps you out with documents to explain the rules in more detail.  We've gathered most of that documentation and provide it for you HERE

2. You're assuming your technology makes you compliant.

As we talked in depth before ("Why HIPAA Security Is NOT About Technology") , your 'HIPAA Compliant Firewall' is meaningless without the proper policies and documentation to back it up.  'HIPAA Compliant ANYTHING' is nothing but wasted money if you don't make the decisions on why and how that equipment is going to be utilized and configured.

       3. You think that someone else is in charge of your compliance.

This is a biggie.  Stop and think about your HIPAA Security Compliance.  Is there ANY part that you have outsourced or handed off to a vendor or business partner?  If so, you've missed the point.  An IT vendor should be able to help you make good choices on your policies, but YOU have to make those final decisions and document them.  Similarly, an outsourced HR firm might be able to help you with training or security awareness, but YOU have to decide how that will work and document it.  Simply signing up with a vendor does NOT help your compliance…in fact it might make it more difficult since you just handed the issue to someone else and you'll now forget about it.

       4. You think HIPAA Security Compliance is a goal to achieve.

Probably the single most misunderstood issue with HIPAA Security is that you NEVER really become 'compliant'.  You can get close and you can work towards it, but there is no finish line that you get to cross and then you're done.  It's a journey that will be with you from now until you retire from your job.  HIPAA Security Compliance takes constant work…so if you think you'll get finished with it one day, you're mistaken.  Sure, you can get all of your policies documented (with something like FlightPlan!) and you can make all the decisions you need on access to your ePHI.  But once all that’s done, every time something changes (a new computer, new copiers, employee quits, etc.), then you have to update your documentation and keep moving toward compliance.

This blog article might sound like a bit of a downer.  But it is the truth that we're seeing every day in the field.  Doctors' offices, clinics, hospitals…they all seem to be missing the point.  Many of these misperceptions are handed out by vendors, 'experts' and trade groups.  Staying on top of HIPAA Security doesn't have to be difficult.  I think the biggest hurdle to get past is that you have to admit that it's DIFFERENT than what you thought it was.  And no amount of 'HIPAA Compliant' Firewalls, software or shredding services is going to get you where you need to be. 

Stay with us!  We want to help dispel the myths!  Checkout our blog (updated at least twice a week).  Follow us on Facebook/LinkedIn/Twitter for more updates like these!

 Jeff Franks is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS delivers Security Awareness training to your entire staff, every month, without impacting your daily operations