HIPAA Isn’t Brain Surgery

The other day I noticed that one of my (very competent) colleagues out on the WWW advised that you have a “deep understanding of HIPAA” when advertising his HIPAA training.  I have no doubt that his training is probably stellar.


But, trust me, as a Privacy Officer for the past six years I can tell you that you do not need a deep understanding of HIPAA.    


What you need is to find and rely on those who DO have a solid, boots-on-the-ground understanding of all the major and minor pieces, as well as all of the nuances of the HIPAA privacy rules, and can assist you on an as-needed basis. 


Let’s say that you’re a practice manager, and you’ve been served with a subpoena for copies of the records of one of your patients.  Did you know that you are required by the HIPAA Privacy Rules, to ensure that whoever signed the subpoena has made all other parties aware of the subpoena and provided them with an opportunity to object?  That’s one of the nuances of HIPAA.  And I’ll bet it wasn’t included in that 30-minute training some consultant, with little or no healthcare or compliance experience, sold you.


Did you pay $100s for HIPAA training?  Bought some of those “official HIPAA forms” (no such thing, by the way)?  Did you buy a copier from some company who claimed that their copier (and faxes, and scanners, etc.) were “HIPAA compliant”?  Oops, sorry, there’s no such thing as a “HIPAA-compliant” copier.  (Believe me, you’re not alone — lots of money has been made using the “HIPAA compliant!” label. . .)


If paying all that money for HIPAA training had been enough to keep practices from complaints, then there wouldn’t be 41,000+ complaints filed with HHS in five-plus years. 


That your practice may not have had any complaints doesn’t tell me whether your staff understands their roles regarding HIPAA; it just tells me that your patients don’t know their rights.  Yet.  But that’s changing.  HHS is now getting hundreds more complaints every month.


I’ve been the Privacy Officer responsible for implementation and compliance with the HIPAA Privacy & Security Rules for a large healthcare system for the past six years: 300 beds, 1.5M clinic visits per year, and 6,000+ employees.  THAT’S what gives me a very solid understanding of all the major and minor pieces, not to mention the nuances, of HIPAA Privacy & Security.  The proof is in the pudding — in the past 12 months we’ve had 17 privacy complaints; ten of them were without merit.  Not too shabby.


I’m setting up a HIPAA Privacy & Security practice.  I’ll be offering information based on real experience, with real complaints, and real solutions.  And I’ll be steering you away from almost anything claiming that it’s “HIPAA compliant.”  When it comes to Privacy & Security compliance, most of it relies on the behavior of your staff, and the rest just isn’t that hard.


Keep me in mind.


I blog regularly about HIPAA issues.  If you have a question about either the privacy or security rules, or if you’re having a problem with one of your providers (or one of your patients), email me directly at hipaadiva@yahoo.com.  It would be my pleasure to help you.


One response to “HIPAA Isn’t Brain Surgery

  1. thank you for very interesting article , want good luck

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s