Over on EMR and HIPAA, I wrote an article about the “Just Enough” culture of HIPAA compliance. I’m sure that many of you reading this post will be very familiar with this culture. Unfortunately, it’s rampant in so many hospitals across the nation. Even when a few people in the organization are hyper focused on doing more about HIPAA compliance, they’re often stifled by others who want to do just enough.
In response to this post, Christopher Gebhardt, offered these suggestions on when a hospital’s culture has a “funny” way of changing:
– Through the genuine interest of senior executives leading the charge.
– After being slapped with a violation.
– When OCR shows up at your door. The latter defeats the “it can’t happen here” mentality.
– When OCR takes action, repeatedly, for known violations against your competitors.
I think you could define Christopher’s description as a reactionary approach to HIPAA compliance. I think it’s fair to say that along with being a “just enough” culture of HIPAA compliance, healthcare is also very reactionary. There are some notable exceptions to this, but HIPAA and security compliance are very reactionary in most hospitals.
Culture is a hard thing to change at any organization. However, I think we’re entering a new era where a culture of security and compliance is going to be very important to every healthcare organization. With social media, there’s no where to hide any more. An investment in the right hospital security and privacy culture will likely pay off greatly in the long term.