Jeff Jenkins tried hard to stamp HIPAA security into the culture of Georgia's Department of Human Resources, which oversees public health. But one big obstacle stood in the information security officer's way: upper management.
Jenkins said the lack of resources and management support for employee training was a big brick wall that was no longer worth climbing. So he left for a job as security governance and compliance manager for Atlanta-based S1 Corp.
"You want to work where you can be effective in as short a time as possible," he said. "In government, that's very hard. When you don't have management buy-in, you can't enforce the policies needed to change how people approach their daily tasks in a way that's more security- and HIPAA-minded."
Pete Stagman has had the opposite experience as information technology manager for Dedham, Mass.-based Boston Home Infusion, which provides healthcare services to roughly 13,000 homebound patients in New England.
"Upper management understands it needs to get done," Stagman said. "They were clinicians, not moneymen. I tell them we need something and what it'll cost. They shake their heads and say 'OK, we need it.'"
The experiences of Jenkins and Stagman show how HIPAA security officers can have a real impact with upper management's full support, or be doomed from the start without it.
Jenkins said one big problem was upper management's perception of what security entails. "There was more support for the privacy side of HIPAA because it was seen as more of a legal, training and human resources matter and that's where you tend to see more urgency," Jenkins said. "Security is perceived as more of a technical aspect and there isn't as much urgency."
In his new role at S1, Jenkins deals with the financial sector, which has its own set of compliance challenges under laws like Sarbanes-Oxley. Having worked on the health care side, the government side and now the financial side, he said it's easier to understand the big picture.
"If you look at HIPAA by itself, it's more about meeting a compliance deadline," he said. "But if you stack it against other laws like Sarbanes-Oxley, you see this as a paradigm shift in technology. It's not about meeting deadlines. It's about meeting the security threats of the information age and better managing technology in the post-boom era."
Stagman has been fortunate because his bosses seem to understand that. That's not to say his job is a piece of cake.
"This started as a three-man shop and now there are 50 people on the network -- 65 employees in all, spread between here and offices in New Bedford and Springfield [both in Massachusetts]," he said. "Many aren't used to the passwords and the timeouts."
Adding to the challenge is that the organization is essentially a small hospital in which the doctors and nurses are set up in the patients' locations.
"We have liaisons in a hospital -- employees who stay at various hospitals -- and when a patient is released, a doctor or nurse will talk to the liaison who in turn gets all the patients' paperwork to us," Stagman said.
"Let's say one of our drivers shows up at a patient's house with a bag of medication and equipment," he added. "The driver has the paperwork that the patient must sign to receive those items. In some case the patient will take the package and close the door without signing. Now we don't have a signed document from the patient. That's a problem because we can't charge them without it."
So they have to adopt the approach of your average fast-food drive through and "get the cash before you give them the food," he said. "We have to really beat it into the drivers' heads that we need that signed paperwork."
Stagman said another challenge is that the organization's software is "very role-based." Drivers can't access patient records, and if someone in the warehouse needs that information to put an order together, they'll go to someone who does have access.
"That person might be very busy, and so they'll give the unauthorized person the password," Stagman said. "Before HIPAA that wasn't a big deal. Now it is. So in a sense HIPAA has helped us bring that kind of problem under control. In the end, HIPAA has made my life easier because it has forced upper management to think harder on security."
Of course, he added, his life is also easier because the management was willing to think harder in the first place.