Part 1 in a 2 part series that should remind us that ‘compliance’ is a requirement of minimum effort, not necessarily best effort.
Have you ever had your car serviced for a mechanical issue, only to find the interior vacuumed, wiped, and smelling fresh? Getting simply what you asked for, for example an oil change, was no more and no less than what was expected…but does that necessarily make it a job well done?
In all regulated industries, and especially healthcare, compliance is an effort to meet the requirements of the law. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a venerable driver of compliance; it is a standard among standards. “Are we compliant?” asks Karen. “You bet!” I reply. High fives ensue, and it’s on to the next piece of business. But this is an overly-distilled analysis of a very complex and dynamic problem, and the very belief that one is in compliance may be a greater risk than one is not.
Every morning I awake, sometimes hours before the fail safe alarm. I reach for my smartphone and begin trolling the internet for relevant data breach news I can use to steer behavior. I never have to look hard, but these days it is not uncommon for me to have to select between stories. If everyone is compliant, then why are so many failing? Two distinct possibilities exist: many believe they are compliant when they are not, or being compliant is simply not enough. Let’s focus on the latter of the two.
In early 2009, Heartland Payment Systems announced it had been the victim of an historic data breach, despite being certified to the stringent requirements of the Payment Card Industries Data Security Standard. If this exceptionally thorough and rigorous validation of compliance is not enough to ensure safety, can anything? The short answer is no. The moment you believe you are safe is the moment you are at your most vulnerable. Compliance is and always should be considered a minimum.
This is not meant to deprecate compliance as an accomplishment. Achieving compliance is not necessarily a simple thing. It is expensive and time-consuming to establish, and it takes an ongoing effort to maintain. It is only through rigor that standards are upheld, and that takes ongoing measure of discipline and dedication. But is that enough?
New England Geriatrics is engaged in an ongoing and comprehensive effort to protect patient information. I have dedicated my career to protecting patient information, but it is not my burden, it is my passion.