Discussion on:

10 boring (but really important) things you should know about HIPAA compliance

A great movie with many examples that could be used for HIPPA compliance. In regard to number 10 specifically, The Operative, an assassin, was sent to review the people and procedures that allowed River's escape and changed the "internal processes" to make sure such an intrusion wouldn't happen again (albeit in a very violent fashion).

Just coerce all the victims to sign waivers.
That appears to be the intention behind the hypocritical HIPAA, as with the privacy violation policies of most discussion sites and "social media", Google, Yahoo!, etc.

"Sure, sure, we'll respect your privacy... right up to the point we decide it would be more convenient to let every person who was ever a nurse, every federal bureaubum in or outside of HHS, every radiologis in Red China and India, every major bank chain, all of the former spies who run the 'credit rating agencies', every protection racket that calls itself an insurance company and all of their guest-workers, every current and former accountant in the facility to abuse your personal private information for private gain or amusement, but we might withhold it from your designated doctor and your spouse and certainly your lawyer who might spot our many other privacy violations and take legal action against us."

I prefer Zelazny's story, My Name Is Legion, in which the hero snags a multitude of alternate identities so that he can live free and thereby anonymously combat the abuses created by the identification system.

OK, so everyone had their opportunity to poke some fun and use quirky analogies BUT....If you are a tech involved in this, it is a nightmare. I support a handfull of SMB physicians and dentists who are governed by HIPAA and must be compliant. It is near next to impossible. The lawyers who offer their services are an overpriced joke and do not come close to bringing a small office next to compliance. They just grab their 6-8,000.00 and provide a book or 2 and run for the hills. We, the IT people, are left to bathe in the aftermath. I would like to see WHERE I could buy a prewritten set of policies and procedures that I could customize. I could do it for a lot less than the sharks and be more compliant than they ever were (unless of course you are a hospital or large agency with megabucks).

Mike,
The author originally included a link to TechRepublic's set of policies and procedures, but I took it out because I didn't want to be too self-promoting. But since you're looking for templates, here's the link: http://www.techrepublic.com/downloads/it-professionals-guide-to-policies-and-procedures-4th-edition/1004655. A lot of stuff in the package isn't HIPAA related, and I think you'll still want a lawyer to vet the policies after you've customized them, to be sure they're ironclad. I also turned up a bunch of possibilities doing a search on "hipaa policy templates." Maybe some other members will jump in here with specific suggestions. Hope this helps!
--Jody

Hi Mike - I worked for a company that had purchased a set of policies that I thought were pretty decent starting points. I *think* that this was the source: http://www.hipaastore.com/hipaa-policies-for-covered-entities-p-10.html I can't find a preview link to be sure, unfortunately.

I completely agree with your general frustration. Should a dentist's office and a multi-billion-dollar hospital chain be expected to meet the same level of compliance? I do know that most of the lawyers I speak to about this don't have any perspective on the cost (or feasibility) of what they are asking for.

Thank you for the feedback!

How about the Andromeda Strain? If they hadn't audited the growth results of the test on the alien virus, they wouldn't have caught the cure. The woman who was initially reading the results had epliepsy and the flashing light signalling success put her into a minor seizure and she missed it! An audit of the processes may have changed that too!

If you are a patient or tech involved in this, it is a nightmare. It's dishonest. It's fraudulent. The title and PR say one thing, but the text of the statute says something else... which is fairly common, actually.

What is needed is push-back, complaints/law-suits not "compliance", until a measure which genuinely protects patients' privacy in a reasonable manner can be enacted.

I enjoyed your run-down of a not-so-sexy topic, but I have to wonder...why is it that all the good guys are busy subverting security while those involved in maintaining it are part of the dark side for all the movie analogies?

I agree that the points mentioned are an excellent starting point for any organization [HIPAA or Non-HIPAA] as they facilitate the foundation of STRONG AND STABLE organization

If Sam Wheat's (Patrick Swayze) company had had better audit policies in place, Carl Bruner (Tony Goldwyn) would have been busted just as the movie started and we'd have spent the last hour of the show watching a too-happy young couple never meet Oda Mae Brown (Whoopi Goldberg).

Yes obviously the points are boring as all the different types of compliance have these points. The only thing that needs to be taken care is that these controls are implemented around the IT systems that have the PHI data