Your intake coordinator shares her login credentials with the night shift supervisor. Your crisis counselor uses an AI tool to summarize session notes faster. Your billing specialist still has access to clinical records from a role she left eighteen months ago.
None of these people are careless. They understand patient privacy matters. They sat through the security training and nodded at all the right places. They genuinely agree with the security policies your organization spent months developing.
Then they get back to their actual work, and the policies become obstacles they need to route around to get anything done.
This pattern shows up everywhere. Staff who care deeply about protecting patient information make daily decisions that undermine security. The problem is not the people, it’s that secure practices are regularly in conflict with efficient work, and when faced with that choice, people choose getting their job done. If you want different security outcomes, you need different workflows.
When Workarounds Signal Broken Processes
Most workarounds in behavioral health settings emerge because the secure path creates unreasonable friction. A clinician shares login credentials because the password reset process takes three days and they need to document a crisis intervention right now. A program manager uses an unauthorized productivity tool because the approved alternatives require five forms and two weeks of IT review.
These workarounds tell you where your security design fails to account for operational reality.
Based on our experience with behavioral health organizations, the diagnostic question is simple. Ask your team: “If you followed this security procedure exactly as written every single time, what would break in your daily workflow?” Their answers reveal which policies need workflow redesign, not better enforcement. (National Institute of Standards and Technology, 2023).
When staff cannot do essential work while following security procedures, they will find ways around the procedures. You can respond with stricter enforcement. Or you can redesign the workflows so the secure path is also the efficient path.
Redesigning Workflows for Security and Efficiency
Crisis admissions demonstrate this principle clearly. Your policy requires unique credentials for every user accessing the EHR. In practice, when someone arrives in acute distress at 11pm, your crisis counselor needs immediate system access to check for previous episodes and medication history. If the on-call supervisor’s credentials are already logged in, the counselor uses those credentials.
When security and patient care compete for priority, patient care wins every time. That’s not a training problem. That’s a workflow design problem.
Redesigning this workflow requires understanding what the counselor actually needs. Fast authentication that does not compromise security. Options include biometric readers at crisis stations, role-based quick-access credentials with enhanced audit logging, or streamlined mobile authentication that takes seconds instead of minutes. The specific solution matters less than the commitment to making secure access faster than the workaround.
Shadow IT follows similar patterns. Staff discover tools that genuinely improve their work. They start using these tools without proper authorization because the official approval process feels designed to say no rather than evaluate options thoughtfully. Organizations that successfully manage this challenge create streamlined evaluation processes with clear criteria and two-week turnaround commitments. When staff can get legitimate tools approved in reasonable timeframes, unauthorized usage drops dramatically.
Access permissions create persistent friction. Someone changes roles from clinical to administrative work. Their old permissions remain active because removing them requires an IT ticket that disappears into queues for months. Eventually you have dozens of people with access they no longer need.
The operational approach is building permission changes into role transition workflows. When someone moves from intake coordinator to billing specialist, the system automatically flags their clinical access for review. The manager receives a prompt requiring active decision within days of the role change, when the context is fresh and the decision is obvious. Access request workflows need similar attention. Fast-track routine requests that fit standard role profiles. Reserve intensive review for unusual access patterns.
Annual security training satisfies compliance requirements while changing almost nothing about how people work. Effective security training is continuous, role-specific, and scenario-based delivered via brief video scenarios in morning huddles or team meetings.
Show your intake coordinators what a targeted phishing email looks like when it impersonates your EHR vendor. Show your program managers how Shadow IT tools might promise HIPAA compliance without actually providing it. Run monthly ten-minute sessions with one scenario and immediate discussion about what the secure response looks like and what barriers might prevent people from choosing it. Those barriers become your workflow redesign targets.
Phishing simulations work when they are educational rather than punitive. When someone clicks, provide immediate feedback about what signals they missed.
Getting Team Buy-In for Process Changes
Start by acknowledging the legitimate frustrations that drove the workarounds. “I know the current password reset process takes three days. That’s unacceptable when you need access for patient care. Here’s what we’re changing to fix that.”
Involve frontline staff in redesign efforts. The people doing the work daily understand the friction points better than anyone in leadership or IT. When staff contribute to creating new workflows, they become advocates for those changes.
Start with your highest-friction workflow causing the most frequent workarounds. Pilot the redesign with one team over four to six weeks. Use lessons learned to tackle the next priority. This phased approach demonstrates quick wins that build momentum for broader changes.
Celebrate visible wins. When the new crisis admission authentication process works smoothly during an actual emergency, tell that story. These examples demonstrate that security improvements can make your work better, not just more compliant.
Security policies exist to protect the therapeutic relationship that defines behavioral health care. Every security decision your team makes connects directly to patient care quality. Frame security improvements through this mission lens. You are removing obstacles that prevent your team from protecting the therapeutic relationships your organization exists to support.
When security practices align with operational efficiency and mission delivery, workarounds disappear because they are no longer necessary.
What security workarounds are your team using right now, and what do those workarounds tell you about processes that need redesigning?
Xpio Health helps behavioral health organizations redesign workflows so security and efficiency support each other. Contact us to explore how we can help you audit current workarounds and redesign your highest-friction workflows.
#BehavioralHealth #PeopleFirst #XpioHealth #WorkflowOptimization #Cybersecurity #OperationalExcellence #PeopleFirst #XpioHealth
References
National Institute of Standards and Technology. NIST Cybersecurity Framework. NIST.gov. 2023. https://www.nist.gov/cyberframework