HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Compliance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

The Step Child of HIPAA Compliance: Culture Change

by D'Arcy Guerin Gue
March 2002

Most discussions of HIPAA compliance mention, almost parenthetically, that successful HIPAA initiatives will require "sweeping cultural changes." Some may go on to say that these cultural changes will necessitate changes in operational processes and behaviors. But, despite the increasing profusion of resource information available through HIPAA conferences, whitepapers and articles, almost no one is talking or writing in any depth about the practical side of HIPAA culture change.

What culture changes? How do we determine if our organization needs such changes - and what are they supposed to be? How do we accomplish HIPAA privacy and security-related cultural changes? Why aren't industry "experts" offering culture-changing ideas alongside their many policy, procedural, and technology solutions? And, what do we mean by culture, anyway?

The American Heritage English Dictionary defines culture as: "The totality of socially transmitted behavior patterns, arts, beliefs, institutions, and all other products of human work and thought." Another definition, a bit easier to relate to, is that "Culture is shared, learned values, ideals, and behavior - a way of life." (from John Bodley, Chairman, Department of Anthropology, Washington State University, Cultural Anthropology: Tribes, States, and the Global System, 1994). Our simple definition of a "HIPAAtized" culture might be "where compliant attitudes, behaviors and sensitivity to patient privacy and confidentiality become second nature and assumed throughout the workforce."

Typically, most HIPAA assessment and remediation initiatives have been handed off to information technology, legal, health information management and compliance professionals. These are specialists in critical aspects of HIPAA compliance, to be sure - but not known for their attention to the "touchy-feely" side of organizational life. In fact, with all due respect to their more traditional HIPAA expertise, it is likely that a job interview inquiry of most HIPAA project leader candidates regarding their experience in culture change management would generally rate a "Say wha--?" This is one reason why the general absence of authoritative guidance concerning cultural and behavioral change is no surprise.

The prevailing approach to the cultural components of HIPAA compliance appears to be built on the mystical "Field of Dreams" premise: "Build it - and they will come." In other words, do the technical and administrative assessments...write the policies...develop the procedures...change the forms...upgrade the systems...lock up the data...set up training dates...and voila! It's a HIPAAworld! This may have worked great in the movie, but is unlikely to translate well into the real world of healthcare. As most experienced human resources, staff development, and change management professionals will tell you, regulations, policies, procedures - even monitoring and threatened sanctions - will not ensure that employees will change their values, attitudes or habits.

It is likely that some covered entities don't care about, and will never attempt to reweave the admittedly soft, slippery threads of their cultures into a new privacy and confidentiality-sensitive fabric. Using the "Field of Dreams" approach, "minimum" compliance to these organizations means moving all the tangible, external pieces of the HIPAA jigsaw into place -- first, to meet the letter of the law; second, with the belief that the most obvious areas of exposure to Federal scrutiny will be eliminated, and third, with the hope that desired behavior will follow. However, the idea that documented policies, procedures and protections are an organization's first line of defense against complaints, lawsuits or other undesirable exposure is mistaken.

The fact is, the first line of defense is the front-line employee who interacts with the patient, creates, accesses and files his or her information, and passes it along to others in the delivery chain. Members of resistant or inappropriate cultures are the most frequent reason for failure of such organizational initiatives - and, in fact, can undermine and even derail implementation. The culture must be pulling in the same direction as the plan. Only those organizations that focus on the attitudes and behavior of their workforce can hope to achieve DHHS' objective for HIPAA privacy and security implementation - a healthcare delivery environment that is conscientious, diligent and thorough in its protectiveness of privacy rights and the confidentiality of health information.

How to build a HIPAAculture in your organization? As with the more tangible HIPAA components, it will be difficult to decide how your culture should change without understanding where it is now. Here are some recommended first steps:

  1. From the get-go, include a qualified human relations/change management professional in your mix of HIPAA implementation team members. If your HR Director and/or Training Manager don't qualify, include them anyway and enlist outside organizational change expertise for strategic support.

  2. UNDERSTAND WHAT THE ORGANIZATION'S CULTURE IS TODAY, relative to HIPAA issues, by conducting a "CULTURAL GAP ANALYSIS" across your organization. This should be simultaneous with your administrative and technology assessment - and should be given the same priority.


    • Conduct a survey of management and workforce attitudes
      towards such issues as:
      • Patient rights to privacy
      • The value of keeping data confidential
      • The value and effectiveness of existing confidentiality measures
      • Regulatory compliance overall (How critical or resistant to regulation is the culture?)
      • Corporate initiatives overall (How seriously have they been taken in the past? What has been their success?)
      • What is perceived to be "really" important to management (Are the stated and unstated corporate missions the same?)
      • What is perceived to be the existing workforce commitment to privacy and security?
      • The staff's openness to change in general
      • The effectiveness of the organization's training/development functions

    If your HIPAA compliance team does not have experience conducting such surveys, this is the time to consult with an organizational change expert.

    • OBJECTIVELY EVALUATE HIPAA-RELATED CULTURAL FACTORS, after spot-interviewing managers and other staff across the enterprise. Consider:
      • What is perceived as the organization's style of management - proactive vs. "head-in-sand" or "wait and see;" authoritarian vs. consensus-driven; or?
      • Management's openness to change, workforce's openness to change
      • Built-in impediments to culture change, such as multiple facilities, size, diversity
      • How do organization members communicate with each other? What methods have been most effective?
      • How effective are new employee orientation programs?
      • How can the relations between clinical staff and management be characterized? Relations between the senior HIPAA executives - Privacy and Security Officers, Compliance Officer, CIO, Director of HIM, General Counsel, etc.?
      • What is the internal strength/influence of the HIPAA executive sponsor, the compliance staff, the training staff?
      • How does PHI originate and flow into, through, and out of the organization? Who handles it, and why? (Remember the "Minimum Necessary" requirement!)
      • What lessons can be learned from the enterprise's past organizational changes?
      • How has the organization historically educated and developed staff? What has worked? Hasn't worked?
      • What are the separate missions of the organization's various departments/functions? How might they mesh with - or collide with - the organization's HIPAA goals?
      • How does corporate politics relate to compliance? Are there strong, influential pockets?

  3. DETERMINE WHAT THE CULTURE NEEDS TO BE, to achieve a "HIPAAculture" -- where compliant attitudes, behaviors and sensitivity to patient privacy and confidentiality become second nature and assumed throughout the workforce. Answer questions such as:
    • What is the organization's "vision" of itself as a HIPAA-compliant enterprise? Does it just want to "meet the letter of the law?" Does it hope to be seen by patients and the public as an ethical organization that values patients' privacy and confidentiality along with quality care? Does it want to be seen as a world-class, cutting-edge healthcare leader that goes out of its way to provide exceptional services and privacy protections? Or?
    • What new values, perceptions and beliefs are required to match the corporate vision?
    • What behaviors and habits are required?
    • What knowledge and expertise is required?
    • What management support will be needed to reinforce and support these changes?
    • What training and development efforts will be needed?
    • What reinforcement and support efforts will be required?

  4. Then, CONNECT THE DOTS by applying the cultural gap analysis results to your overall HIPAA Plan and implementation strategy. Use the expertise of your entire HIPAA team AND input from first line managers. And, throughout your implementation, keep referring back to these desired cultural outcomes to keep on track. You will probably find that the list of needed actions will change and expand as the implementation process unfolds. There are at least eight basic steps to HIPAA cultural change:
    • Apply the cultural gap analysis in developing the overall HIPAA change strategy
    • Publish a meaningful, clear corporate vision so that individuals will see their behavior as contributing to something of value and importance -- and will have a strong directive as to the organization's intent.
    • Ensure, if possible, that top leaders are unequivocally IDENTIFIED with the corporate HIPAA vision
    • Define an appropriate flow of authority and influence that will effectively reinforce executive decisions and the HIPAA vision
    • Design an enterprise-wide learning process that:
      • Clarifies and, if necessary, details the gap between the current culture and the corporate vision
      • Acknowledges what's already being done to protect privacy and security
      • Presents ways in which HIPAA compliance will represent one or more "wins" or benefits for individual workers
      • Makes use of case studies, and focuses on the organization's real-world situations
      • Encourages sharing of experiences
      • Provides not only mandated training, but other learning tools like a HIPAA resource center, HIPAA hotline, departmental HIPAA "super users," access to inexpensive industry audio conferences, etc.)
    • Design an enterprise-wide motivation and reinforcement process (a combination of initiatives that suits your organization, which might include a HIPAAction campaign, regular internal newsletter and intranet HIPAA features, posters, contests, inclusion in staff meeting agendas, Q/A forums, etc. Make HIPAA a "cause" - and be creative!)
    • Design a management reinforcement and control process, again with the input of line managers. This should include ensuring that managers and supervisors understand the linkage between their departments' activities and HIPAA compliance.
    • Implement the HIPAA culture change program systemically, not piecemeal - and only when:
      • Leadership is ready and willing (e.g. committed), and
      • The HIPAA team is ready to hit hard and fast. Implementation should include a strong, firm message, visible actions supporting rapid momentum towards change, and consistent follow-through.

A final bit of advice: if you are part of your organization's HIPAA culture change, don't assume smooth sailing. Imbedded values and habits carry voltage - translation: expect to receive negative pressures and experience some stress! Any change always means losing something, if only the familiar. But if you and your HIPAA team apply the above guidelines -- and can plan for - objections or resistance from managers, clinicians, and other staff, you will affect powerful and essential HIPAAchange.

D'Arcy Guerin Gue is Executive Vice President, Knowledge Services and Business Development, of Phoenix Health Systems, Inc., experts in HIPAA change management, strategic planning, and procurement, implementation and integration of state-of-the-art health care information technology. www.phoenixhealth.com

Go to TOP