We have asked 20-year HIPAA Expert Abner Weintraub to share his experience with us. Read about what successful HIPAA compliance programs have in common and what you can do to achieve full compliance.
In nearly twenty years of HIPAA-related work, I have had the privilege of working with many of the most successful healthcare enterprises in the nation, and some who were not so successful: from ‘Top-100’ health systems to small clinics, from established brands to hungry startups, from workers who’ve been terminated for HIPAA violations to individual patients who needed help, I have confronted nearly every aspect of HIPAA and its wider effects over the years. In this article, I’ll be sharing my observations on what makes some compliance programs very successful, while others struggle endlessly to achieve full compliance.
HIPAA Compliance Is the Same for Everyone — Except It’s Not
One of the most interesting things about HIPAA compliance is that the very same compliance requirements and duties apply to virtually every entity regulated by this law. From the smallest MD’s offices with a single physician to the largest integrated health systems, the compliance requirements, with very few exceptions, are identical for all regulated entities. The reason that HIPAA compliance can be achieved by every size and type of regulated entity is that the HIPAA Regulations (the Regs) are intentionally designed to be scalable, flexible, and technology-agnostic.
This means that an integrated health system can set up a complex, cloud-based system for daily backups of critical data, while a small physician practice can meet the same compliance requirement (§164.308(a)(7)) with daily, onsite backups to a portable hard drive. Similarly, a large IT services company can build a sophisticated auditing system to comply with HIPAA’s auditing requirement (§164.312(b)), while a small app developer can rely on their cloud provider or hosting company’s free auditing resources to meet the very same requirement.
For full compliance, regardless of the scale or complexity of the system used to achieve specific compliance requirements, or which technologies are used to achieve them, it only matters that each requirement is successfully met.
HIPAA Compliance — What Can Go Wrong?
Before we examine what successful compliance programs have in common, it’s important to understand what we can learn from compliance failures. Based on my experience, compliance failures are generally due to one or more of three primary reasons:
- Lack of leadership commitment to, or understanding of HIPAA compliance.
- Failure to research and understand what the specific compliance obligations actually are.
- Failure to assign sufficient resources (time, personnel, or funds) to achieving compliance.
The first point is the most damaging. If a company’s leadership doesn’t accept that compliance is critical to the success of its business, other members of the workforce will follow suit. Leadership sets the tone and the goals of the business and senior management buy-in is critical to compliance success. One might think, in light of recent ransomware attacks and well-publicized hacks on some of the largest firms (eg. Anthem, Target, and LinkedIn), that management buy-in for full compliance would be easy. But this is not always the case. In my experience, the reason behind this gap is twofold: 1) Leadership doesn’t always understand that full compliance with HIPAA helps prevent hacks and malware infections; and 2) Leadership doesn’t recognize that health data is, quite literally, cash to the criminals who would steal it and resell it in “darknet” markets. This sort of ignorance can spell disaster for HIPAA-regulated entities.
The second main reason for compliance failures, not assigning sufficient resources for compliance, is easier to understand, but is just as destructive. With the exceptions of perhaps Apple or Amazon, there are very few businesses today that have unlimited cash on hand. This necessitates prioritizing goals and projects and making difficult choices. In a tight economy, compliance may appear to be a lower priority than some other vital goals, but firms who fail at compliance fail because they often don’t understand what resources are actually required, or because they simply underestimate resource requirements. Either way, the results can be the loss of business; reputational damage, failed mergers, acquisitions or investments, or worst of all, sizeable fines and penalties from HIPAA’s enforcers.
The third and last reason some businesses fail at compliance is unfortunately commonplace. Many firms simply don’t understand what full compliance really means or what it involves, despite their best efforts. There are only a small number of credible HIPAA experts in the nation. But there is a huge body of misleading literature on the Internet that provides an incomplete or inaccurate picture of what full compliance with HIPAA actually entails.
For developers in particular, any of the above reasons can block a successful compliance effort and the successful business launch of a digital health product. But the most common reason a given developer fails at compliance is the mistaken belief that HIPAA compliance only applies to the app that they are building, and not to the developer’s company as a whole. This is a dangerous and all-too-common misconception. In fact, every element of a developer’s business must become fully compliant with HIPAA.
What Do the Most Successful Compliance Programs Have in Common?
After our brief glimpse at how and why companies fail at compliance, let’s look at what successful compliance programs have in common. While we certainly can and should learn from the failures of others, successful compliance programs have the most to teach us.
Over the years, I have observed five factors that appear to be common to successful HIPAA compliance programs:
- Leadership is committed to full compliance.
- A culture of data security and privacy is fostered.
- Everyone in the organization is involved with compliance.
- Professional help is obtained when needed.
- A compliance narrative is created and maintained.
I will expand on these five factors below:
- Leadership is committed to full compliance — This is perhaps the most important determinant of compliance success. Leadership and senior management must be totally committed to full compliance, and their commitment must be visible. If the boss makes compliance a top priority, and staff see and hear their leaders affirming this on a regular basis, the resolve to achieve and maintain compliance will be infectious and inexorable, and full compliance will be the result.
- A culture of data security and privacy is fostered — Good data governance is only generated by a culture of privacy and security awareness. It’s easy for the workforce to think that compliance is only the responsibility of senior management, IT staff or the Compliance Officer. In the real world however, a phishing email with malware can appear in any employee’s inbox, with potentially disastrous results. Every member of the workforce can either support a state of full compliance on a daily basis, or can endanger the entire organization with a careless mistake. Throughout daily business operations, all discussions, memos and meetings should consistently foster a culture that understands the value of data, the trust clients place in the company, and the ever-present threats to be guarded against.
- Everyone in the organization is involved with compliance — The emphasis here is on the word everyone. It may be tempting to think that your janitor, receptionist or maintenance workers have no part to play in your compliance program. But these are frequently the first people targeted by hackers looking for a way into your network, your data, or your bank accounts. Absolutely every person in an organization should be trained on good data hygiene, should understand common threats to data and privacy, and should understand at least the basic principles of HIPAA’s requirements. If some workers are left out of your compliance program, they will become the weaker links that will be discovered and exploited.
- Professional help is obtained when needed — The most successful compliance programs are led by people who know their limits. If specific details of HIPAA compliance are vague or incomprehensible, these firms find the help they need and engage it promptly. Whether its technical, legal, or administrative assistance that’s needed, savvy companies find the most qualified experts and vendors to assist them. The well-worn joke about men not wanting to ask for directions when they’re lost, isn’t very funny when those men are responsible for your firm’s compliance. Successful compliance programs almost always include a well-used network of experts and authoritative resources.
- A compliance narrative is created and maintained — This is the sign of a truly advanced compliance program, and its importance cannot be overstated. In addition to actually becoming fully HIPAA compliant, every regulated entity has to be able to prove their compliance to others. Mediocre firms scramble to assemble evidence of their compliance efforts, and only when asked. The most successful compliance programs develop and maintain a compliance narrative, an easy to understand story of how they complied, complete with illustrations and supporting documents. You must be able to prove your compliance to customers, prospects, the OCR (one of HIPAA’s enforcers), or even a judge or jury. A compliance narrative should be created in advance, and maintained over time for just this purpose. For developers, this is exactly the evidence of full compliance that investors and hospitals are looking for
Developers, tech firms and healthcare providers can all learn from the compliance mistakes of others. I recommend that you rise above merely avoiding the failures described here. Instead, strive to emulate the most successful compliance programs. By doing so, you’ll reduce your overall risk and will be doing your customers the greatest service possible: safeguarding the precious data they entrust you with.
About the Author
Abner E. Weintraub is a recognized national authority on HIPAA, the HITECH Act, and digital privacy and security. He was involved in the earliest days of HIPAA as the Business Administration Team Leader of the group that produced the original HIPAA Compliance Extension Plan for the US Dept. of Health and Human Services, released in March of 2002.
In addition to founding one of the largest HIPAA companies in the US, Abner has completed hundreds of HIPAA consulting engagements and has personally trained thousands of individuals on HIPAA. He has published numerous HIPAA articles and reports and has been quoted countless times in various national media. Abner has also served as a HIPAA Expert in legal cases in multiple states.
Was this article helpful? Subscribe below to learn more about MedStack and get tips delivered straight to your inbox.