It’s the people, people.

When developing training courses for Privacy and Security Awareness programs I keep trying to find new and different ways to get the important points across.  Real world examples seem to make the most impact when it comes to the participation in live training.  That got me to thinking….

crowd-sourcing-154759_640It really is all about the people.  Patients, providers, clinicians, billers, administration are all people who start the ball rolling.   Programmers, software and tech support, network support are all needed to get the information into the computers and moving to the next step.  Payer’s have tons of staff members who are involved in all those areas to process the claims.  All kinds of financial and clinical processes occur but none of them can truly happen without people.  If all those people were able to fully protect PHI we would have a perfect world.  But, they aren’t the only people involved.  Plus, the phrase “you’re only human” is most often used when we can’t accomplish something expected or we make a mistake.

There are also the hackers, identity thieves, information sellers, snoopers, and bad actors of all sorts.  They are all people too.  They are all actively involved in getting around any of the safeguards the first set of people have in place.   Eventually, systems do fail and let them get what they are after within your systems.

So many discussions are about how to make the work of compliance all automated.  I am trying to do it myself all the time.  We live in a world where technology allows us to make so many things automatic.  We get used to doing many tasks on autopilot.  With something as important as Privacy and Security compliance autopilot seems like the way to go.

However, you can’t automate people.  You can only automate systems.  Systems have to be designed and automated by people.  People have to monitor the systems.  People are always coming up with new ideas that require changes to the systems.  Then, people have to change the systems they created.  The cycle is a vicious one.  All the while the bad actors are trying to attack and break the systems you just put in place to keep them out.

We can only automate so many things before someone finds a way around what you have automated.  If our automation realizes there is something odd going on and sends out alerts, that’s great.  But, people have to look at them and know when and how to act upon those alerts.  Of course, that is if the automated system noticed the suspicious activity and let someone know in the first place.  What if the system never told you to look?  Would you look?

The important thing for all of us to remember is it is really always about the people.  Don’t think you can put your compliance program on autopilot because people will certainly find a way to crash that plane whether on purpose or by a simple mistake because we are all only human after all.

Filed under: HIPAA Tagged: Audit, Business Associates, Protected health information, Security, Small Provider