Step into the office of Brandon Ho, HIPAA compliance specialist for the Army in Honolulu, and you won't see a compliance officer scrambling through mountains of paperwork regarding new HIPAA laws.
President Barack Obama signed into law the American Recovery and Reinvestment Act of 2009 that includes new HIPAA laws, and Ho is certainly aware of them.
But panic? Urgency?
"Overzealous compliance," Ho says when HealthLeaders Media asked him what was the No. 1 pitfall for HIPAA privacy and security officers. "I've actually seen privacy practices where providers are so overly zealous with regulations and compliance with HIPAA that they end up spending more money than they ever have to. They just have to look at ways to comply in the best and most efficient way."
Ho says even with new HIPAA laws (in the Health Information Technology for Economic and Clinical Health Act), privacy and security officers need to keep it simple and not feel the need to revamp the house.
Ho, affectionately called "The HIPAA Guy" at Pacific Regional Medical Command, Tripler Army Medical Center, spoke to HealthLeaders Media about his HIPAA compliance program at his Honolulu facility and the 121st Medical Group in Korea and Camp Zama in Japan.
He also offered advice for fellow HIPAA privacy and security officers in a time of changing laws and regulations and increased patient awareness of privacy rights:
1. "Don't muddy up the water." "Despite the fact that HIPAA is always changing," Ho says, "there are always going to be some consistent truths. You can take all the nuances of all the new laws and requirements, but basically HIPAA to me is always going to be about authorization and whether patients feel OK that information is going to be disclosed."
2. Check on existing policies. Much of the new HIPAA laws and requirements point to compliance that should already be covered. For instance, HHS said information that is encrypted by NIST standards is secure PHI and therefore not considered a breach of security. "If everybody is scrambling because of these new laws, they're going to have to check their programs to see whether it's truly about complying with patient needs or just about complying with laws."