Lately I’ve seen an uptick in the number of articles and posts wanting to blame or point the finger at workforce members for the breach activity we continue to see plague healthcare. Statements like, we need to focus more on the workforce or workforce training needs to be enhanced. Don’t get me wrong, I’m not suggesting that a fair amount of the responsibility does not lie with workforce members, but I would suggest that they are a symptom or the manifestation of the problem. The problem is nine years after the privacy rule went into effect and seven years after the security rule went into effect we still do not have what the Office for Civil Rights calls a “culture of compliance.”
OCR doesn’t just mean that compliance should be an organizational goal, they meant that they want to see organizations that make privacy and security a fundamental business priority and have the right controls and behaviors ingrained to provide reasonable and appropriate protection for patient information. OCR is absolutely right to focus on culture, it is an extremely powerful motivator - organizations with the right culture, founded on the right principles, can move mountains. Culture is also impacted by one thing more than anything else – leading by example. Which is why we generally hear experts talk about creating culture at the top, with the leaders setting the example.
So is it the workforce or the culture?
If something is part of our culture it intuitively becomes ingrained in everything we do. It becomes one of those invisible factors that permeates how we act, how we make decisions, how we prioritize things. It gets attention, it gets resources, it gets discussed by leadership and pointed to as a marker to guide our actions. We don’t just talk about it, we reinforce it, we ensure the organization is accountable to it, we make sure it matters. The leaders who establish culture come in many forms. They are CEOs, and CMOs, CMIOS or CNOs. That tier plants the seeds of more leadership by Department Heads, Directors, Section Chiefs and Head Nurses, and ultimately it is key clinicians and medical staff that demonstrate the right principles to their peers and teams for how to properly handle patient information. These are the individuals in positions to most effectively communicate cultural principles and set the example. They are individual leaders in the workforce as well who set the example every day for others by doing what is right.
Is privacy and security one of your guiding principles, part of your culture, or are they just compliance headaches?
