I have worked in healthcare IT for most of my professional

career. As I look back, it’s becoming

increasingly difficult to remember what life was like before regulatory

compliance laws such as HIPAA

were in place. IT projects were completed

much like they are today, where time is always of the essence and system

stability is crucial. Our main customer

continues to be the medical staff, and the wellbeing of the patient will always

be our highest priority. But there has

been a definite shift in certain aspects of technology delivery.

It used to be that support and implementation plans would focus

around what was the least disruptive to the physicians, nurses, etc. While that still holds largely true, HIPAA has

become the trump card to staff convenience.

Several years ago it didn’t matter who was logged into a computer when a

nurse accessed patient data. What was

important was that staff could walk up to the nearest PC and quickly retrieve needed

information. Accessibility reigned. It didn’t mean that was the most prudent way

to secure private healthcare data, it was just the path of least

resistance. A stroll down hospital halls

today, however, reveals PCs with screen savers and input boxes awaiting user

authentication. It’s probably not what

staff wants to see, especially with their busy schedules and the number of

patients being cared for, but HIPAA is now dictating that securing sensitive

data is more important than the few extra mouse clicks it takes to complete a


There is something to be said for the weight that physician

voices carry though. They are, after

all, the ones responsible for most of a hospital’s revenue generation. No doctors mean no hospital, and no hospital

means no jobs. The shortage of other

healthcare professionals such as nurses also play a part in the relationship

between medical staff and IT departments.

Prior to HIPAA, hospital users could dictate some of the fine details of

a system rollout and maintenance. They

can still significantly influence the purchase of a new system and its use, but

the new system must now pass a final litmus test for HIPAA compliancy before

being acquired and put into use.

Without government regulations in place, which carry

significant criminal and civil penalties, companies previously erred toward the

side of higher efficiency and a healthier bottom line, even well meaning

companies. And even though network

security and data integrity have always been important, companies haven’t

always spent the money or time necessary to sufficiently reach an acceptable

standard. Companies have long known what

should be done to protect a patient’s personal healthcare data, but the effort

generally wasn’t there. However, money

talks and it is now too expensive not to comply with regulatory laws. Efforts presently place an emphasis on

securing data through encryption and safeguarding corporate procedures against

data breaches. Because CIOs and CEOs are

ultimately responsible for violations, the effort for change has trickled from

the top down.

HIPAA has dictated important changes to more than just end

users. IT staffs must also adhere to

what it takes to be HIPAA compliant. Regulatory

compliance was a tolerable notion when it only meant users had to jump through additional

“hoops” to complete their jobs. But when

IT departments had to change their modus

operandus, they too discovered that the new laws were difficult to

bear. Domain administrators aren’t used

to having their network or system access restricted, but that’s exactly the

kind of change laws such as HIPAA have brought.

If you don’t have a legitimate reason for accessing private data, access

should be denied. Even the number of IT

staff included in the Domain Administrators group must be considered. Besides being a general sound security

practice, auditors will flag this as a potential HIPAA violation. These are difficult pills for some IT pros to

swallow as they are accustomed to having free reign of their network. But slipping on this slope can mean you’re

searching for a new job tomorrow, so proceed with caution.

I would be interested to hear how other regulatory laws such

as Sarbanes-Oxley

and the Gramm-Leach-Bliley

Act have affected IT in your organization.

Sound off and let me know!