Companies Just Really Stink at Compliance – Training Is Usually The Problem

HIPAA is a law that is supposed to prevent medical professionals from inappropriately disclosing your medical information to anyone not involved with your treatement and insurance, so that your medical status can not be used against you – for example by an employer who wishes to discriminate against people who are HIV positive. HIPAA compliance is a big deal – it’s likely your personal doctor has given you disclosures related to it, and has had you sign releases regarding your medical data. Penalties for not complying with HIPAA have been as large as 75 Million dollars.

Not too long ago, a major medical manufacturer and their partner, a research hospital, ran a program in which they sent some crucial medical equipment to patients in a large soft rolling padded suitcase. At some point the suitcases became surplus to operations, and they sold them to an online store known for its military surplus. As it happens, I needed a soft padded suitcase to store a ham radio in my trailer, and thus found myself the new owner of one of these cases.

The case came with a patient identification card neatly mounted in an identification window. This gave the patient’s name, birth-date, gender, and the name of a medical device that they were using. A FedEX waybill attached to the case’s handle gave the patient’s home address. Obviously this was a HIPAA violation. I notified the manufacturer and destroyed the patient data.

I’m involved in a different form of corporate compliance: Open Source license compliance by technology companies. But the problems are the same: dumb mistakes like failing to remove patient data before selling suitcases happen because the “little people” in the company – employees who get the assignment of getting the suitcases into a freight container and shipping them out, haven’t been adequately trained to identify a HIPAA issue while it’s happening and protect their employer. Similarly, violation of Open Source licenses happens because engineers and their managers have never had their first class in copyright, licenses, and technology law – it isn’t required for an electrical engineering or computer science degree. When I train such people, I find that they identify problems and bring them to legal when the problems start, rather than letting them happen until there is a development investment and products released to customers, and the intellectual property issues get expensive. Staff who have been properly trained feel in control, and become the first line of defense rather than where the mistakes happen. This saves companies many Millions.

Unfortunately, training people meets strong resistance in every company where I propose it, because the course as it should be taught would take every member of the staff out of production for a whole day. So, I’m always under pressure to cut the entirety of a Compliance 101 class down to two hours.

Somewhere in a medical company, the little people weren’t taught enough about HIPAA to be able to identify an obvious problem, or maybe they were that day’s temps. Managers were tasked to keep this sort of problem from happening. But as always, the managers weren’t the people at the front lines, who really do have brains and can use them if they’re just given some awareness of what’s important.

Someone who isn’t as nice as me could use the information that I saw to bring a class-action suit on behalf of the patients whose information was disclosed, perhaps costing this company tens of Millions. It’s only when that happens that the companies understand the value of training all of their staff.