Today we put “Employee compliance” posters on the board in the lunch room… and one of the posters had to do with Hipaa compliance…and the items listed on the poster was of interest for a couple of reasons to me and made me think about the concept of “compliance” … it implies that my firm was going to be soon complying with some or all of those items… furthermore it very specifically implies that certain tasks will make me Hipaa compliant if I follow those items… and as I read over the list, while many (all) of the items are certainly valid and worth striving for, the concern I had was that the poster wording implied that “compliance” was specific to these items. That if I didn’t do them, I’d not be compliant. And by merely posting the document on the wall, in front of employees, had I bound myself and my firm to standards that I questioned were specifically deemed appropriate for my firm since we don’t administer medical plans on site and typically don’t have EPHI stored locally? And who decided that these items were the ones to strive for?
The reality is that the intent of Hipaa and in fact most of the Security regulations are to be silent to technology and specifics and be much more ‘goal’ minded.
If you read the Hipaa regulations you will find that it is silent in specifics..
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information
the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the
security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such
information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce.
In fact if you search the document for the specific word of “firewall” it doesn’t exist in the Hipaa final regulations at all:
And certain items are required (concrete goals) whereas the items I would call “lofty goals” are categorized as “addressable”. What is stressed is a review, and risk analysis and management. But a definition of “Firewalls” as a required Hipaa compliant device? The document is infact silent as you can see. So that gets back to my arguement about who is making the interpretations of “compliance”. If the document itself is silent as to “firewall” how can you say that you are in compliance with regulations when the regulations themselves are silent as to specifics?
Granted, it’s wise and a good thing to have network firewalls, and one could argue that in this day and age, if you don’t have a network firewall as a bare minumum security measure… how about you use a Dixon Ticonderoga and stop using computer, technology and the Internet until you understand such basic fundamentals of barriers and protection…and in fact I’d strongly argue that if you only rely on the external firewall and consider that a host based operating system level firewall is too much and not needed that you possibly reconsider that as well, (i.e. the built in Windows XP SP2 firewall that is on by default inside a well run SBS 2003 network), but to merely imply that you are compliant because you did “that” and nothing else but that so that’s all you need to be compliant and secure, right? Just checkmark a box and that’s all you need to do, right?
And does blindly sticking that poster on a wall mean that you’ve now agreed to that firm’s interpretations of Hipaa regulations? Who defines compliance here? When any consultant defines, brands, marks you as compliant, all they have done is make an interpretation about what they think being compliant means. It doesn’t necessarily mean you are compliant with the regulations themselves which …by design… are vague and technology neutral.
In fact, I’d argue that instead that the current state of “compliance” is driven by one factor..the hurt factor. The reality is that compliance is driven by what hurts us. What gives us pain. If something isn’t painful or doesn’t have ‘teeth’ in the law, we won’t do it. We don’t voluntarily pay income taxes, there’s a threat of jail time over our heads if we don’t. We don’t voluntarily save money in savings plans because right now we don’t see the pain. We don’t see that our retirement is coming faster than you think but for now we spend, and use credit cards and live paycheck to paycheck because right now it doesn’t hurt us..and we don’t see the pain. So the only time we push for better security is when we have a threat of pain over our heads.
What should be our goal in compliance is the “golden rule of data”. We should set up our systems to protect data how we want our own personal data to be protected. What would we like to see protecting our most precious data? We’re not there yet. We have ways to go. We don’t do this now. In fact we don’t make our XP sp2 systems as secure as they could be now by making them run without administrator rights. We could do better. Our vendors could do better. But we don’t make these decisions now because it doesn’t hurt enough now not to do it.
It’s a vicious cycle, isn’t it? Vendors don’t care because businesses don’t care enough. And we don’t care because it doesn’t hurt us enough to care. We can get by with not caring enough right now.
I’d say that your goal in compliance is to make sure you do what you would feel comfortable stating that you did to protect data while standing in front of a Judge, in front of a Jury, in front of your business associates, and ……most importantly of all…… in front of your very own personal data.