How Do You Change the HIPAA Culture of Your Hospital?

Over on EMR and HIPAA, I wrote an article about the “Just Enough” culture of HIPAA compliance. I’m sure that many of you reading this post will be very familiar with this culture. Unfortunately, it’s rampant in so many hospitals across the nation. Even when a few people in the organization are hyper focused on doing more about HIPAA compliance, they’re often stifled by others who want to do just enough.

In response to this post, Christopher Gebhardt, offered these suggestions on when a hospital’s culture has a “funny” way of changing:
– Through the genuine interest of senior executives leading the charge.
– After being slapped with a violation.
– When OCR shows up at your door. The latter defeats the “it can’t happen here” mentality.
– When OCR takes action, repeatedly, for known violations against your competitors.

I think you could define Christopher’s description as a reactionary approach to HIPAA compliance. I think it’s fair to say that along with being a “just enough” culture of HIPAA compliance, healthcare is also very reactionary. There are some notable exceptions to this, but HIPAA and security compliance are very reactionary in most hospitals.

Culture is a hard thing to change at any organization. However, I think we’re entering a new era where a culture of security and compliance is going to be very important to every healthcare organization. With social media, there’s no where to hide any more. An investment in the right hospital security and privacy culture will likely pay off greatly in the long term.

About the author

John Lynn

John Lynn

John Lynn is the Founder of the, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • John,
    Thanks for posting. Yes, we must get past a “check the box” mentality as Rita Bowen from HealthPort labels it. Keeping patient information secure and private must be as important to healthcare workers as our checking / saving and credit card account numbers are to the bank folks.

  • Great post, John! “The only constant is change,” and compliance departments should be preparing their organizations through training with the support of executive management. Privacy and security of patient information is only going to become more important, especially with the increase in medical identity theft. Business associates may experience these same issues in regard to the cultural shift since Omnibus is now holding them accountable.

  • Alisha,
    You’re right that business associates need that culture shift as well. Although, for many of them, it’s not just a shift in culture, but a creation of that culture.

Click here to post a comment