Step into the office of Brandon Ho, HIPAA compliance specialist for the Army in Honolulu, and you won't see a compliance officer scrambling through mountains of paperwork regarding new HIPAA laws.
President Barack Obama signed into law the American Recovery and Reinvestment Act of 2009 that includes new HIPAA laws, and Ho is certainly aware of them.
But panic? Urgency?
Not quite.
"Overzealous compliance," Ho says when HealthLeaders Media asked him what was the No. 1 pitfall for HIPAA privacy and security officers. "I've actually seen privacy practices where providers are so overly zealous with regulations and compliance with HIPAA that they end up spending more money than they ever have to. They just have to look at ways to comply in the best and most efficient way."
Ho says even with new HIPAA laws (in the Health Information Technology for Economic and Clinical Health Act), privacy and security officers need to keep it simple and not feel the need to revamp the house.
Ho, affectionately called "The HIPAA Guy" at Pacific Regional Medical Command, Tripler Army Medical Center, spoke to HealthLeaders Media about his HIPAA compliance program at his Honolulu facility and the 121st Medical Group in Korea and Camp Zama in Japan.
He also offered advice for fellow HIPAA privacy and security officers in a time of changing laws and regulations and increased patient awareness of privacy rights:
1. "Don't muddy up the water." "Despite the fact that HIPAA is always changing," Ho says, "there are always going to be some consistent truths. You can take all the nuances of all the new laws and requirements, but basically HIPAA to me is always going to be about authorization and whether patients feel OK that information is going to be disclosed."
2. Check on existing policies. Much of the new HIPAA laws and requirements point to compliance that should already be covered. For instance, HHS said information that is encrypted by NIST standards is secure PHI and therefore not considered a breach of security. "If everybody is scrambling because of these new laws, they're going to have to check their programs to see whether it's truly about complying with patient needs or just about complying with laws."
Too many compliance officers, Ho says, are concerned with laws and do not ensure patients are aware of their rights and are part of the decision-making.
"It's about empowering your client base," Ho says.
3. Make patients comfortable. The healthcare experience has to be a holistic approach, Ho says. "You need to make sure patients are comfortable at all levels," he adds. "They have to not only trust their doctors but also the people supporting their doctors."
4. Let people know you're there. Marketing your HIPAA office is key, Ho says. If you're located in the basement next to medical records, get out.
"The HIPAA officer should be in a place where they are easily accessible to patients," Ho says. "And let people know who you are. Put your name out there. Walk the halls. If people know who you are and see you around, it lets them know you're there for them."
5. Buck the trend of training simplification. "People want a one-stop shop for all training, but I believe that is the biggest problem with training today," he says. "The exact same booklet training, or video training, or classroom training shouldn't be given to everyone. People have all different HIPAA concerns and, because of that, you need more focused training."
6. Keep things interesting. "I'm always trying to entertain them," says Ho. "People always like to hear the lascivious details. So I talk about what happened to Britney Spears and … the Octomom [Nadya Suleman] because whenever you talk about money and fame, people get interested."