Health care organizations’ boards of directors and C-suite level officers—particularly chief financial officers (CFOs)—must buy into organizations’ overall HIPAA security and cybersecurity strategies in order for those strategies to be properly funded and supported.

But this buy-in process is far from automatic. Instead, it requires motivated people at lower levels of the organization to distill the key information and provide it to board members and the CFO, using specific strategies to build engagement, stakeholders say.

As the CFO of Tri-County Mental Health Services Inc., which serves the northern Kansas City area counties of Clay, Platte and Ray, Michelle Naus is acutely aware of the issues surrounding data security and HIPAA compliance. But she said she believes she may be an example of the CFO exception, rather than the CFO rule.^[1]

Many of Tri-County’s patients suffer from severe mental illness and substance abuse, and the organization serves as a safety net provider with large Medicaid and uninsured populations, Naus said during a Sage Intacct webinar. Guarding protected health information (PHI) is critical for a mental health services provider, she explained.

“Those individuals have gone through tremendous mental trauma, as well as a stigma that has followed them for all of their lives. And so any kind of identification to us becomes even more crucial than just protecting the PHI that is required under HIPAA—if your employer or your family and friends know you’re getting mental health services, sometimes that stigma will follow you around and cause more trauma,” she said. “If we were to have a HIPAA breach, besides the financial impact that would come to the organization from fines and repercussions, just the reputational damage would be very difficult to overcome, because the trust would be broken with our consumers.”