I recently had the opportunity to visit Embracing our Differences, an annual, outdoor art exhibit in Sarasota Florida. https://www.embracingourdifferences.org/ The exhibit features juried works from across the globe paired with quotes that celebrate the diversity of the human family. This experience led me to consider again the need to respect cultural, business, and regional differences in developing privacy and HIPAA programs.
In a prior blog, I commented that rather than a one-size-fits all approach, companies should not consider their unique attributes including as industry, size, location-specific requirements and public or private status. https://www.kamowitz.com/blog-2020/is-privacy-compliance-a-walk-on-the-beachnbsp But what about corporate culture and regional differences among the organizations, their employees and their customers?
Much has been written about the impact of cultural differences on international business relationships, compliance, and ethics. Similarly, privacy laws across the globe reflect cultural differences. Most notably, European nations consider privacy to be a human right as a result of the events of the twentieth century, and particularly World War II, the Holocaust, and the rise and fall of Communism. Similarly, scholarly articles describe regional differences in healthcare access, utilization rates, and mortality across the United States.
In the past year, we have become all too aware of how regional differences have impacted our political views as well as our response to the pandemic. Topics that we might have considered to be beyond discussion, such as basic science and guidance on mask-wearing, have been challenged by various constituencies. As a Massachusetts native, I first became aware of those differences when I attended graduate and then law school in Madison, Wisconsin, and a professor referenced “ eastern intellectual snobs.” In a later move to Norfolk, Virginia, I found that grocery store workers smiled more when I slowed down my speech and stretched out my syllables. And then, when I traveled to conduct compliance and privacy training in the Midwest, I found that I could warm up the room by casually mentioning that I had lived in Wisconsin for six years. More recently, due to the pandemic and the availability of virtual meeting platforms, I have had the opportunity to speak with and learn from colleagues across the country who face very different issues than I might find in my area.
So why should we expect that one-size-fits-all privacy and HIPAA programs are an effective way to meet business needs. Too often, organizations that are pressed for time rely on off-the-shelf products to develop policies and procedures and training materials without recognizing the unique characteristics of their operations, thus limiting their impact on employees and on customers. These materials may suffice for a check-the-box exercise, but it’s crucial to consider the audience and customize policies and procedures and training in order to make the message impactful and the program successful. This does not mean that organizations should shy away from privacy management technology which can be extremely helpful in simplifying compliance, reducing redundancy, and allowing professionals to concentrate on other mission-critical projects, customer service, and business strategy. Rather, in implementing these systems, companies should look to how technology can complement and serve the inherent uniqueness of each business.
An Example: HIPAA Compliance
One might think that compliance with a single federal law such as the Health Insurance Portability and Accountability Act (HIPAA) would be the same across the country. However, in order to develop an effective program, it is important to consider the unique characteristics of each medical practice or organization.
It is generally understood that different requirements apply to the various types of HIPAA covered entities (health care providers, health plans and health care clearing houses) and that the requirements for business associates who perform services on behalf of a covered entity differ to some degree and are governed by a contractual relationship. But within each category, there are differences in operations, structure, and culture.
For example, for health care providers, it is important to consider the following questions:
Is the healthcare provider a solo practitioner, part of a small medical group, a member of a large regional hospital system, affiliated with a university, or part of a national healthcare company serving a wide range of patient needs?
Is the practice located in a rural area or a densely populated city?
Who are the patients? Do they require assistance of personal representatives, translators, or other aides? Do they have transportation assistance needs?
What type of information is collected? Is research data at issue? Does the provider maintain psychotherapy notes, HIV/AIDs data, or substance abuse treatment data?
What are the policies surrounding telehealth? Do patients have readily available internet access?
What is the education level of the patients? Are they able to understand their rights under HIPAA?
Are there internal information security, legal, compliance, and privacy functions or is a single office manager trying to handle all issues? What other resources are available to answer questions?
Similar differences are evident among HIPAA business associates. For example,
What services does the company provide on behalf of the covered entity? Is the company a small niche company, a regional player, or a large international business?
Is protected health information received regularly or only on occasion? What other types of confidential information are processed?
Does the company provide services to a range of customers or does it tailor its services to the medical community? Is HIPAA compliance part of an overall privacy program that also addresses laws such as GDPR or the CCPA?
Has the business taken steps to understand the requirements of the various business associate agreements it has signed?
And for health plans, a basic question us whether the plan is a commercial insurer or an employer-sponsored self-insured plan.
All these questions impact the development of policies and procedures and training. Taking the time to consider these questions and others will result in a tailored program, increased understanding and compliance, and reduced frustration and risk.
I would be happy to discuss your unique needs.