Tactical approach takes advantage of confusion
With providers increasingly skittish about violating HIPAA but uncertain about exactly what is required, some IT professionals see an opportunity to improve data security, says Mick Coady, principal and co-leader of the Health Information Privacy and Security Practice at PricewaterhouseCoopers, the financial services and consulting company in St. Louis.
This "tactical approach" means IT staff, when asked for help on data exchanges, might overstate what HIPAA requires in order to improve overall data security, Coady explains. They might say that encryption or a certain level of encryption is required for the data, when HIPAA does not require that precaution, for instance.
"Some of the security guys see this as an opportunity to get the tools or policies that they think are necessary in the institution," Coady says. "What they are seeking may be a completely valid need for the provider, but intertwining HIPAA requirements with other security needs in this manner only exacerbates the confusion and encourages more data restriction than HIPAA requires."
- Mick Coady, Principal and Co-leader, Health Information Privacy and Security Practice, PricewaterhouseCoopers, St. Louis, MO. Telephone: (314) 565-1949. Email: [email protected].
