About "Crushing Kim With HIPAA"
HIPAA is widely misunderstood, not because of any one thing, but rather the accumulation of many confusing concepts, phrases and terms. This series explores those confusing things through the eyes of Kim, a hypothetical office manager in a small clinic named Memphis Family Clinic. Big hospitals have departments of lawyers and information technology specialists (I/T, CIO) to handle HIPAA challenges. Kim and Memphis Family Clinic do not have those resources. This series tries to show how challenging HIPAA is for small clinics.

Security & Privacy

If you were to ask 100 random people, 'What is the difference between privacy and securty?', more than 90% of them could not explain the difference. I cannot explain the difference. Though not synonyms, privacy and security are closely related. Our hypothetical office manager Kim, would struggle to explain the difference to her team.

Yet, in HIPAA, the Security Rule is meant to be substantially different from the Privacy Rule. These two rules, are the foundation of HIPAA. Every HIPAA instructor and every sentence written about HIPAA, emphasizes the importance of these two rules. (ClinicNerds avoid using these confusing words.)

Poor naming is, in my opinion, one of the reasons that HIPAA is so poorly understood. HIPAA experts have a hard time remembering the difference between the Privacy Rule and the Security Rule. Little tricks like Privacy is for PHI are not much help. New healthcare workers, energetic to learn, are dumbfounded by the Privacy Rule and the Security Rule.

The poor naming problem is compounded when the HIPAA rules state that a healthcare organization should designte a Privacy Officer, a Security Officer, and/or a Compliance Officer. That is more officers than the Army! Promotional side note: In trying to reduce this confusion over the many officers, the ClinicNerds combined the roles and nicknamed this person the 'HIPAA Lifeguard.' At a pool, the lifeguard watches over swimmers. At a clinic, the HIPAA Lifeguard watches over PHI.

Possible Fix

Here is a suggestion for fixing this problem. Replace the phrases 'Privacy Rule' and 'Security Rule' with 'Patient Rights' and 'Protected Health Information' or PHI.

I am not suggesting that the rule books be re-written. But when explaining HIPAA to healthcare workers, it might be less confusing to start with PHI and Patient Rights.

I would also like to eliminate the acronym 'HIPAA', but it is too entrenched. The acronym has outgrown and outlived the original intent to do with the portability of health insurance. While conceeding that HIPAA has high name brand recognition, there is no denying that it is extremly negative on the emotional scale. Want to quiet a roomful of healthcare workers? Just say HIPAA.

October 5, 2017
By Bert Ryan