I have worked in healthcare IT for most of my professional
career. As I look back, its becoming
increasingly difficult to remember what life was like before regulatory
compliance laws such as HIPAA
were in place. IT projects were completed
much like they are today, where time is always of the essence and system
stability is crucial. Our main customer
continues to be the medical staff, and the wellbeing of the patient will always
be our highest priority. But there has
been a definite shift in certain aspects of technology delivery.
It used to be that support and implementation plans would focus
around what was the least disruptive to the physicians, nurses, etc. While that still holds largely true, HIPAA has
become the trump card to staff convenience.
Several years ago it didnt matter who was logged into a computer when a
nurse accessed patient data. What was
important was that staff could walk up to the nearest PC and quickly retrieve needed
information. Accessibility reigned. It didnt mean that was the most prudent way
to secure private healthcare data, it was just the path of least
resistance. A stroll down hospital halls
today, however, reveals PCs with screen savers and input boxes awaiting user
authentication. Its probably not what
staff wants to see, especially with their busy schedules and the number of
patients being cared for, but HIPAA is now dictating that securing sensitive
data is more important than the few extra mouse clicks it takes to complete a
There is something to be said for the weight that physician
voices carry though. They are, after
all, the ones responsible for most of a hospitals revenue generation. No doctors mean no hospital, and no hospital
means no jobs. The shortage of other
healthcare professionals such as nurses also play a part in the relationship
between medical staff and IT departments.
Prior to HIPAA, hospital users could dictate some of the fine details of
a system rollout and maintenance. They
can still significantly influence the purchase of a new system and its use, but
the new system must now pass a final litmus test for HIPAA compliancy before
being acquired and put into use.
Without government regulations in place, which carry
significant criminal and civil penalties, companies previously erred toward the
side of higher efficiency and a healthier bottom line, even well meaning
companies. And even though network
security and data integrity have always been important, companies havent
always spent the money or time necessary to sufficiently reach an acceptable
standard. Companies have long known what
should be done to protect a patients personal healthcare data, but the effort
generally wasnt there. However, money
talks and it is now too expensive not to comply with regulatory laws. Efforts presently place an emphasis on
securing data through encryption and safeguarding corporate procedures against
data breaches. Because CIOs and CEOs are
ultimately responsible for violations, the effort for change has trickled from
the top down.
HIPAA has dictated important changes to more than just end
users. IT staffs must also adhere to
what it takes to be HIPAA compliant. Regulatory
compliance was a tolerable notion when it only meant users had to jump through additional
hoops to complete their jobs. But when
IT departments had to change their modus
operandus, they too discovered that the new laws were difficult to
bear. Domain administrators arent used
to having their network or system access restricted, but thats exactly the
kind of change laws such as HIPAA have brought.
If you dont have a legitimate reason for accessing private data, access
should be denied. Even the number of IT
staff included in the Domain Administrators group must be considered. Besides being a general sound security
practice, auditors will flag this as a potential HIPAA violation. These are difficult pills for some IT pros to
swallow as they are accustomed to having free reign of their network. But slipping on this slope can mean youre
searching for a new job tomorrow, so proceed with caution.
I would be interested to hear how other regulatory laws such
and the Gramm-Leach-Bliley
Act have affected IT in your organization.
Sound off and let me know!