Can we all agree that HIPAA was a big ado over nothing and stop talking about it? I would be hard pressed to identify one thing that HIPAA has changed at my organization with regard to privacy and security. Sure, we had to some training, but we would normally do that. We produced a Notice of Privacy Practices, but does anyone read those? Are any of them written in a meaningful way?

While HIPAA has been well intended, it has had a negative impact. Where we used to talk about our concern for patient privacy and information security now we ask “are we HIPAA compliant?” I would argue that the later is a LOWER standard. We do much more to protect our patients’ privacy that HIPAA requires us. I think it is sad that we only focus on being compliant and not doing what is in the best interest of those we serve.

Let’s re-direct the conversation from “HIPAA” to privacy and security.