HIPAA Security Culture of Compliance

Establishing Your Culture of Compliance

Covered Entities (CEs) or Business Associates (BAs) must instill and support a security-minded organizational culture.

What the heck does that mean, “Culture of Compliance”?

Establishing a “culture of compliance” in your healthcare organization will require buy-in from leadership; without it ALL efforts to secure electronic protected health information (ePHI) will fail!

All workforce members in the organization must subscribe to the shared vision of information security so habits and practices become automatic.

As Leon Rodriguez, former Director, HHS Office for Civil Rights stated:

A “ culture of compliance” means that everybody has to see themselves as responsible for the privacy and security of health information. You have talked about leadership …

Employers need to make clear to their employees that this is something that they take seriously, including in their disciplinary policies and, of course, their training policies. It is something that really needs to flow down to ALL the employees who handle health information.”

Here are three steps that must be taken:

  1. Education and training must be frequent and ongoing, recommend role based training for all workforce members.
  2. Those that manage and direct the work of others must set a good example and resist the temptation to indulge in exceptionalism.
  3. Accountability and taking responsibility for information security must be among the organization’s core values.

Protecting patients through good information security practices should be as second nature to ALL healthcare organizations entrusted with ePHI. However, none of these measures can be effective unless the CE or BA is willing and able to:

Implement them!! Don’t find out the hard way like many others, after a security incident.

To enforce policies that requires these safeguards to be used.

To effectively and proactively train ALL users so that they are sensitized to the importance of information security. This includes ransomware, phishing and other cybersecurity trends.

Covered Entities and Business Associates your patients’ are entrusting you with their most private & intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to their risks?

Each week, in “Know The Rules!” I describe HIPAA Security for Business Associates and offer ways to decrease the likelihood that patients’ ePHI will be exposed to unauthorized disclosure, alteration, and destruction or denial of access.




Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!