Let’s talk HIPAA / HITECH / OMNIBUS. It might seem like an old topic. HIPAA was made law in 1993. So why are we still discussing it? Isn’t everyone aware of the regulations by now? Sadly, no. Many have taken steps toward compliance, but many still lack the full understanding and fail to fully realize the breadth of the law. It starts with a Security First mindset, but there is more than just security. Your primary goal should be protecting the privacy of the patient. Sometimes, the situation is innocent enough. The other day I was at a healthcare provider for a routine checkup. The receptionist yelled across the waiting room and said “what is your birthdate again?” I guess she was expecting me to yell it back to her. In that situation, with several people around, I was a little hesitant to do so. (And she shouldn’t have expected me to shout it back to her anyway).
If you think that HIPAA is burdensome bureaucratic nonsense, we understand. Many providers feel it is unnecessary and onerous. However, it does force us to recognize that security and privacy is not always our first and highest priority. It forces us to think about what we do and what we say that might put a patient’s personal information at risk. So, even though it may be burdensome and overbearing, the results of a shift in focus to a Security First mindset can set us on the path to a future where ransomware isn’t holding our data hostage and where “identity theft” is not nearly as common as it is today.