Talk To The Boss About HIPAAHow do you talk to the boss about HIPAA? That is a regular question we get around here.  The staff responsible for compliance gets trained and understands what needs to be done but they don’t get leadership support.  Over the years we have had to have those conversations many times.  It is never easy but there are some key pointers to making ground with your argument and turning the tide for supporting your efforts.  Today we cover a few of our ideas on how to broach the subject effectively when you need to talk to your boss about HIPAA.


HIPAA For MSPs by J. David Sims Talking To The Boss About HIPAA
00:00:00 00:00:00

Talk To The Boss About HIPAA

It isn’t about compliance with regulations anymore. This about protecting your patients, your clients, and your own business reputation. If it turns out things were not properly secured, it can get pretty ugly. Just ask Equifax’s PR staff how nice it is to be them these days.

This case brings up a point we discuss with folks frequently. How do you talk to the “boss” or the board or the C suite about cybersecurity and HIPAA privacy so they will listen?

FUD Doesn’t Work

Fear, uncertainty, doubt is a marketing phrase. The idea is that you can win over your audience with FUD so you must tell a story that creates that reaction.

  • Fines don’t matter.
  • The law doesn’t matter.
  • Patient care, lawsuits and/or reputation DO matter.

Examples are key when you talk to the boss about HIPAA

Using examples of real-world cases with statistics and quotes they can look up on their own. That is the key to reaching many leaders. Remember, they talk to each other so you have to find the topic that sets the conversation between them in a different manner than in the past.

Let’s go back to paper exclamation almost always comes

Hurricane’s Harvey and Irma have given us the perfect answer to this. It is about patient care yet again! With so many displaced people, treatment needed to be provided for extended periods of time in a wide geographic area based on where they ended up.

Hard evidence is needed to make it personal

Show the actual add on the dark web for Athens Ortho data.  We covered this before and have links to the examples of the ads on the dark website for sale.

Play the news clips

Here is a great one. Do you think this doctor will start worrying a bit more about how he handles paper charts?

  • knee surgery in July
  • notice that the anesthesiologist had paper charts stolen from the doctor’s car
  • he treated my information nonchalantly
  • no information in weeks
  • very little concern about her private information she entrusted them with

Now, on the news with a copy of your letterhead featured.

Also clips from the dumpster diving reporters.

Equifax case is rich in details

The reputation of this company is rapidly deteriorating. Reports have shown a wide array of lax security inside the organization.

Easily accessible encryption keys

A dashboard that included a list of all of their databases with the encryption keys. Security apparently was not as important as things being convenient for them

Execs with passwords embarrassing simple

It isn’t just the breach itself but all the news that has come out after the massive breach was announced. Equifax looks careless if not completely incompetent from a security perspective. These conditions are directly related to the way leadership of the company has treated cybersecurity concerns in their organization. Based on reporting by the security group Comodo the execs clearly were careless when it comes to security:

Comodo found that Equifax’s chief privacy officer, chief information officer, vice president of public relations, and vice president of sales used all lowercase letters, no special symbols, and easily guessable words like spouses’ names, city names, and even combinations of initials and birth years.

Sending customers to a fake site

on multiple occasions over the span of weeks, the company’s official Twitter account responded to customer inquiries by apparently directing them to a fake phishing site called

Small businesses are filing class action

…small business owners were disproportionally affected by the breach, as the availability of small business credit is often directly linked to its owners’ creditworthiness

Leadership Failures

Insider trading investigations, early retirement announcements, and lax security all indicate there was no strong leadership that made these things a priority. If you are one of the 143 million people involved how do you feel learning they cared so little about your data and so much about money instead?

When you are the one who has to talk to the boss about HIPAA you have to be the one to sort out the best approach.  We did cover a lot of ways to address the information that isn’t the way most get started.  The bottom line is that you should never just demand that anything is done because the law says to do it.  You must tell the story to explain why it matters today.  It matters to your business, your clients, your patients, your employees, and your reputation.  If you do not have solid leadership in this area, you must get the point across to someone in a leadership role.  Find the best approach for you to talk to the boss about HIPAA now before you need to do it because things have gone horribly wrong.