Fearful of lawsuits and hefty civil penalties, some public and private institutions have erred on the side of caution, implementing more stringent HIPAA safeguards than were originally intended. Since the law is intentionally vague on what companies should do to comply, organizations would rather be safe than sorry. Even with the best of intentions, some standards for controls have had to be decided by the courts. One company that learned this the hard way was BJ Wholesalers, which just recently settled with the Federal Trade Commission over charges of failing to adequately safeguard sensitive customer information on their systems.
Then there's the required cultural shift. Beyond the technical safeguards, companies also need to promote security awareness and ethics training as well as education and enforcement of corporate security policies and procedures covering topics such as password standards, encryption and data classification. Such a level of cooperation has been hard to come by. Compliance laws have put more pressure on IT security and on enterprise users who ultimately make or break any approved security program. Political battles and fallout are new to some IT workers.
So what do we do?
For smaller practices, there is probably no way around it. You are just going to have to go to a hired gun. Just yesterday I was chatting with another consultant, and he passed on the story of a 4 doctor practice who decided that they would just roll the dice, not spend the few thousand bucks it would take to make their new systems compliant, and just hope that nobody complains. Because my friend is a pretty ethical guy, he turned down the gig, because he knew that particular shortcut had every possibilty of turning out bad. There are a lot of ways to save a nickle, but failing to take the required steps to protect your patients PHI is a very pound-foolish one.