Yesterday I had the opportunity to sit down with a physician and a privacy officer from a small local covered entity.  As I explained the consequences of the HITECH Act addition to HIPAA they became increasingly alarmed.  I should state that this organizaton prides itself as being "early adopters" and have fully implemented EMRs in their facility.  But, the ramifications of being responsible for the actions of their business associates horrified and frightened them.

They felt that if they even notified their business associates of their new responsibilities that they would be incurring more risk than if they did not contact them, as they described it the "tar baby" syndrome.  I pointed out that they were responsible either way but they were essentially frightened into inaction.

I offered our services for free to get them started but they said that they were just going to "hunker down" and see what happens.

In our nearly ten years experience helping two other industries go through the painful transition to accreditation this is a familiar response.  They hope this is just going to go away and will delay and deny up to the actual deadline, and beyond.  There are two events that can sway them; someone just like them gets hit with a big fine, or someone they trust convinces them that this is necessary and doable.

They need to be convinced that the first step is putting their own house in order.  While they probably have policies and procedures it is unlikely that they meet the new standards.  By going through that process they will begin to understand the necessity of protecting PHI whether it is in their control or has been given to a business associate.  HHS has made it very clear that a covered entity is responsible for a breach by their business associates even if they do not know about the breach.

Fasten your seatbelts folks, it is going to be Mr. Toad's Wild Ride.

Add Your Comments

(not published)