I don't generally start posts with personal anecdotes, but this one seems appropriate: I went to the ophthalmologist a couple of months ago and, as he slowly went out of focus, we chatted about his responsibilities under the Health Insurance Portability and Accountability Act (HIPAA). He chuckled as he told me what he was supposed to be doing.
The implication was that he doesn't do what he technically is required to. Of course, he isn't a law breaker. It is just that some of the more obscure requirements simply aren't going to get attention as he struggles to take care of his patients and make his practice a success.
That fuzzy conversation came to mind when I read this Computerworld story about the regulatory responsibility companies carry when they use VoIP. The writer does a good job of providing the background and laying out the current situation. The question that comes to my mind, however, is the extent to which organizations-especially small ones that don't opt to farm out the task-really will pay attention to something that sounds as obscure as protecting VoIP in medical offices. The same goes for other businesses operating under other regulatory regimes, such as brokerages and other financial institutions that must deal with Sarbanes-Oxley.
Most sets of rules operate at two interrelated levels. There is the actual crime-and-punishment angle-if you are caught, X, Y and Z will happen to you-and the less-concrete tendency to follow rules, even little by little, if a good case is made for the wisdom of those rules.
For instance, few people are actually afraid that they will get a ticket for not wearing their seat belts when driving to the grocery store. But the fact that the laws exist and make sense has made it far more common for people to automatically buckle up. The increase in compliance was gradual, but it was real and significant. Likewise, the existence of the regulations, the self-evident wisdom of protecting patient privacy and the publicity surrounding failures-such as those in the California communities of Barstow and Chino Hills-is likely to gradually increase general compliance.
The gradual reduction in the number of people who smoke is another example. It is, admittedly, an imperfect comparison since cigarettes are not illegal (for adults) and the escalating cost of the habit is a major factor in its decline. But the sense is that a big driver of the reductions is that the populace, faced with years of well-done anti-smoking PR, finally is realizing how bone-chillinglystu pid it is to smoke.
Safeguarding personal and corporate information should be part of the same kind of gradual campaign. Regulatory compliance should be a very public part of the way a company -- health care or otherwise -- conducts its business. For instance, it should become part of a biannual "checkup" as this story at amednews.com puts it -- on health care IT:
Though checkups should ensure that systems are in good health, they should include an analysis of how the systems meet federal requirements or standards. ... There are technical implications of HIPAA regulations that need to be in place, such as audit controls.
This site, a cooperative project of the OHIC Insurance Co. and Ohio University College of Osteopathic Medicine in partnership with Ohio University Without Boundaries, seems to be aimed at smaller medical organizations and is worth a look.
Small organizations have as much responsibility for protecting their patients' and clients' information as multinationals. Due to lack of knowledge, time and personnel, though, it seems unlikely that they are as regimented and comprehensive. Hopefully, however, compliance will gradually grow over time.