By Jack Anderson
August 31, 2015
Professor Solove talks about telling a physician that he is a professor that focuses on information privacy law, which elicits a frown and the question, You mean HIPAA? I know that face. I was talking with a physician friend this morning and he was proudly showing me his new telemedicine setup in his office. He remarked that Skype was not HIPAA compliant and I answered that applications can’t be HIPAA compliant only companies can be HIPAA compliant and he gave me that same face. I agree with Professor Solove that a lot of the problem is a lack of education by HHS but I would add further that a big problem is that physicians have outdated notions of HIPAA to which they stobbornly cling.
It is much easier to explain the requirements to a businees associate that has no experience with HIPAA. Protecting data makes a lot of sense to them and the HIPAA rules are logical to them. The critical factor is the risk assessment. It is very difficult to get a physician practice to pay for a HIPAA risk assessment based on the NIST protocol, but without that they don’t know where they are at risk. Your can’t remediate a risk until you have identified the risk.
We have given our clients protocols to do internal risk assessments but many of them find it too difficult and time consuming. Fortunately, just as we automated and made simper the process of setting up customized policies and procedures, ACR2 Solutions has done the same with risk assessment. What formerly would take many hours of either internal resources or an outside consultant can now be done in a few hours over the Internet.
We have teamed with ACR2 Solutions to bring risk assessment to our clients and we are in the process of linking our two systems to deliver the cycle of compliance. This covers the three pillars of HIPAA compliance; up to date risk assessment, up to date policies and procedures, documented training of staff.
For more information contact Jack@compliancehelper.com or Jack.K@acr2solutions.com