Three tips to better understand HIPAA compliance

Healthcare organizations that run afoul of HIPAA risk exposing patient data and big fines.

By Carol Amick / Special to Healthcare Facilities Today


According to the U.S. Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA, mandates industry-wide standards for healthcare information and electronic billing and requires protection and confidential handling of protected health information. According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. Given the low rate of compliance, it’s safe to say that many organizations are still perplexed about HIPAA audits, enforcement and compliance. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.

Analyze the past to avoid making the same mistake twice

It is important for hospitals and healthcare organizations to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information and more than the minimum of that data necessary to get the job done. Healthcare organizations also often lack safeguards to protect health information, means for patients to their personal health information and administrative safeguards on electronic protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.

Perform a risk assessment and gap analysis

One preventive measure in assessing an organization’s compliance with HIPAA is a risk analysis and a gap analysis. The confusion around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization and puts them at a significantly higher risk. According to HHS Office for Civil Rights (OCR) guidelines, all healthcare organizations must conduct a risk analysis to be deemed HIPAA compliant.

A HIPAA gap analysis can be used to measure an organization’s information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weaknesses of the security program. From there, the organization can determine whether it has reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performing a gap analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation to prove HIPAA compliance.

The risk analysis is a required control, as defined in audit protocol. Without conducting a thorough and comprehensive risk analysis, a healthcare organization cannot identify applicable threats and vulnerabilities that allow for them to take corrective action. Completing a thorough risk analysis provides insight into the organization’s security position and allows for change before an audit takes place. Risk analysis should also be updated at least annually to ensure they reflect current operational practices.

To begin, an organization should document any electronic protected health information (ePHI) transmission or processing services. This includes any business associates or employees who receive and use ePHI. It’s important to evaluate all aspects of the organization’s operation to verify all uses and disclosures of ePHI are identified. Don’t assume that your IT shop is aware of all of your uses and disclosures.

The risk assessment should evaluate the security, use and disclosure of PHI against HIPAA’s privacy, security and breach notification implementation specifications.

Develop an action plan and a response toolkit

For many healthcare organizations, the question is not whether they will receive a HIPAA audit or an OCR investigation, but when. The OCR, which is responsible for completing HIPAA audits, will contact the organization when the time comes. Investigators will ask for a variety of documents and data. Upon review, the OCR will send the organization a preliminary copy of its findings. This preliminary report gives healthcare organizations the opportunity to respond to the OCR and enter its responses into the final report.

From the final report, the OCR will determine if an organization was in compliance with HIPAA and, if not, where it was lacking. If an organization was not in total compliance, the OCR will provide corrective action and technical assistance that the organization can use to work toward compliance.

Developing an action plan and evaluating information security against the OCR audit protocol to develop an audit response toolkit will provide for practical actions that serve the organization’s best interest, eliminate mistakes, and mitigate risk.

Carol Amick is the Manager of Health Care Services at CompliancePoint.



April 22, 2019


Topic Area: Regulations, Codes & Standards


Recent Posts

17 Million Patient Records Stolen in PIH Health Ransomware Attack

A ransomware attack halted operations across three of PIH’s hospitals.


Holidays are Prime Times for Healthcare Cyberattacks

A study found that 86 percent of organizations that experienced ransomware attacks were targeted on a holiday or weekend.


Hartford Healthcare Forms Partnership to Open Health Equity Clinic

The new clinic will open in January 2025.


UCHealth Reveals Plans for Memorial Hospital North Expansion

Construction on the patient tower is slated for 2026 with a projected opening to patients in 2029.


What Are 'Hospi-tels'?

Hospitals and hotels are partnering to better cater to patients and families.


 
 


FREE Newsletter Signup Form

News & Updates | Webcast Alerts
Building Technologies | & More!

 
 
 


All fields are required. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

 
 
 
 

Healthcare Facilities Today membership includes free email newsletters from our facility-industry brands.

Facebook   Twitter   LinkedIn   Posts

Copyright © 2023 TradePress. All rights reserved.