Friday, October 7, 2011

A tale of two Covered Entities (Prologue)

This week we met with two different healthcare providers, or, in HIPAA-speak, "Covered Entities" (CE)

And they couldn't possibly have had more different responses to the concept of HIPAA / HITECH compliance.

The first CE, we'll use the pseudonymn "London Healthcare" didn't know that much about HIPAA / HITECH requirements.  Over the course of our conversation, though, they were extremely receptive to learning what they could about it, and quickly got to the point of detailing a gameplan.  

We wrapped up our 2 hour meeting with some clear action items for both parties, and an enthusiastic, positive mood all around.

The second CE, we'll call them "France Healthcare," knew precious little about the subject either.   And over the course of our 24 minute conversation, it was painfully clear that they didn't want to know any more, either.  

Their perspective was that HIPAA / HITECH was frivolous law, and that rumors of auditors assessing fines were all fake propaganda.   We left each other without any progress, and tangible distrust and frustration being the remaining attitudes all around.

So, what was the difference?   Why did these two small CE's have such completely different perspectives on the significance of HIPAA  & HITECH?

After thinking it over for a few days, here's the best explanation I can come up with:

1. TRUST (or the lack thereof):

Our positive, receptive CE, "London Healthcare" (again, real names changed to protect the innocent...), TRUSTS ME AND MY COMPANY.    We've got a relatively long relationship where they've trusted us with pretty much their entire I.T. operations, and we've not let them down.   In their words, we've always been quick to respond, looked out for their best interest, and on top of things.  So there was already a high degree of trust there.

On the other hand, our not-so-receptive client, "France Healthcare," is a new client for us, and doesn't quite yet trust us.  They're obviously holding us at arms' length still.


We went to "London Healthcare" to start planning a major I.T. infrastructure refresh, but we walked through it from the perspective of how each piece is colored by HIPAA / HITECH.   I think this helped them understand that these laws aren't completely frivolous, but that they're a good framework for looking at all your practice's I.T. decisions and infrastructure.

We went to "France Healthcare," though, to talk about HIPAA / HITECH.   I'm fairly certain that from the moment we walked in the door, they felt like they had to be on the defensive, and that they knew they weren't compliant, but didn't want to acknowledge that it's "that big of a deal."

SO, end result?  Shame on me, at least to some extent.   My customers, and our healthcare community at large, need to prepare themselves appropriately against the threat of a HITECH audit. 

Don't believe me?   Do you think this "HITECH junk" is smoke & mirrors?

1. Check out the Department of Health & Human Services' wall of shame here.
   (Here's the full URL:

There are two companies in my home town of Baton Rouge, LA listed there!   And these are just for breaches affecting 500 or more individuals!

2. Did you know that HHS imposed a $4.3 million fine earlier this year for HIPAA violations, as it's first official fine?   In the Office of Civil Rights' directors' words...

“Today the message is loud and clear:  HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts,”  -OCR Director Georgina Verdugo.

There are other cases of fines too, but that was a nice way for them to get the party started.

Anyway, back to my two customers, "London" and "France."

Congratulations to London.   Clients that are raving fans are usually going to be more receptive to new ideas, but this client looked at the whole concept from a business perspective, quickly realized that the HIPAA regulations just detailed good business practices anyway, and almost immediately set up an action plan, a timeline, and an educational agenda.    WOW.

And France?   We've both got some work to do.   I'm going to continue trying to educate them, gently and persistently.   And we'll talk about it next time piece by piece, and perhaps from a different perspective.

So, our tale of two cities is just getting started.

I'll keep you posted on how the war goes. :)

No comments:

Post a Comment