An iconic symbol of on-the-job hilarity is the I Love Lucy episode in the candy factory. The vision of Ethel and Lucy shoving candy in their mouths, tops, and hats as the conveyor belt moves past can’t help but make you laugh.
The scene goes something like this:
Manager: “One piece of candy gets past you and into the packing room unwrapped – you’re fired.”
Ethel: “We can do this! It’s easy”
Lucy: “Ethel, I think we’re fighting a losing game.”
Manager: “You’re doing splendidly. Speed it up a little!”
The episode is a classic but why I am using it here to talk about HIPAA?
The misperception that HIPAA is no big deal and that “It’s easy.” has been brought up in conversations several times lately. Those who think there is nothing to it if you have some policies written up and do a video class once a year, aren’t doing the work of HIPAA at all. They are only getting the conveyor belt running on super low-speed, not even beginner speed. At least a beginner is trying to learn what to do. Some of these folks are just seeing it as some quick paperwork to file and be done with it. They aren’t even taking the time to learn what is really involved or to take it seriously at all.
I am not saying that Privacy and Security compliance is something horribly arduous and can’t be done without hiring lots of folks like me, but it isn’t something to take lightly either. The documentation and training required to do this compliance properly is much more intensive than some of the other compliance programs many groups have done before.
That attitude will not be helpful when you are trying to create documentation for your program after you get a request from OCR or even one of your business partners. As breaches grow and more people get concerned about their data security, business partners will need to show they have a robust program in place. That isn’t something you can prove with a quick document someone draws up when you are asked. It also isn’t something you can build quickly from nothing. It is a process and requires time, planning, and training.
We recently sent one of our Business Associate Due Diligence questionnaires to a company that offers a tool for many uses. One specific use that they advertise is using it for online appointments for doctor’s offices. They said they would sign a BAA and that they did do HIPAA compliance.
We don’t ask very complicated stuff in the due diligence, but, we do ask specific questions that should indicate they have a real compliance program. We ask 28 questions about things like “Do you have a training program for security awareness and HIPAA requirements?” and “Have you done a Security Risk Analysis?”
We often get interesting responses to those questionnaires but this particular one was, well, let’s just say more concerning than others. The response included the answer to only 2 of the 28 questions and a comment. One answer was that they knew they were supposed to do HIPAA; the other was who was their Security Officer. Then a comment that said: “Clearly, we don’t take HIPAA as seriously as you do.”
What the what! They have signed BAAs and have CE customers using their cloud app but they aren’t ” taking HIPAA seriously”. They think it is something they don’t really have to take seriously?
Please, check on your Business Associates beyond just will they sign a BAA for you. You are the one that will ultimately pay the price of their “We can do this! It’s easy” attitude.
Of course, I didn’t even address the ones who are arrogant and tell you they are compliant because they use X service so there is nothing else for them to do. They don’t even know there is a conveyor belt rolling with chocolates yet!