Compliance & Legal

Closing HIPAA compliance gaps: Getting your policies in order

Most organizations do not have the necessary bandwidth to develop and maintain complete policies
By Lyn Triffletti
September 23, 2015
08:55 AM

While every healthcare organization is aware of the need to comply with the Health Insurance Portability and Accountability Act (HIPAA), many--especially smaller entities such as physician practices--don't have all the policies and procedures in place to adequately meet the requirements and preserve the privacy and security of patient health information.

One reason for this is that the scope of what's necessary is so broad. Believe it or not, there are 52 possible policies that organizations may need in order to comply with HIPAA. To determine which ones are required, an organization must perform a comprehensive risk assessment and gap analysis. Based on the results, a facility can then craft the appropriate policies, addressing all the relevant details that the regulations demand. Although organizations can find standard policies online, these may not be sufficient, especially for specialty practices with unique requirements.

As discussed in part 1 of this series, most organizations do not have the necessary bandwidth to develop and maintain complete policies. This lack of time and resources leaves many entities at risk, but there are strategies to deal with this and prioritize compliance.

Small Oversights Can Lead to Big Problems

Giving less than full attention to HIPAA compliance is a risky proposition. Although organizations may not truly understand the scope of HIPAA regulation and how to address it, the consequences of a breach are rarely minor, and a facility will soon discover the ramifications of a HIPAA policy deficit.

Consider a practice that receives a call from one of its patients who has a neighbor working in the office. The patient is concerned that the neighbor might have access to the patient's medical record and wants to know what the practices' policy is for preserving the privacy of patient health information. The practice only has a short HIPAA form--one that was written several years ago. The patient begins to question whether her information is in fact secure and files a complaint with the Department of Public Health. The situation quickly escalates, and all of a sudden the practice is facing a six-figure fine and a potential lawsuit, which it likely cannot afford.

Examples like this one are not as rare as some might think. It only takes one patient who is concerned about his or her rights, and an organization may be confronting dire consequences.

Taking Steps to Mitigate Risk

Ensuring a practice has the right HIPAA policies in place may seem daunting, however there are several concrete ways organizations can realize better compliance, starting with proper risk assessments and policy documentation. Here are a few tactics to consider when broaching those strategies. 

Seek expert resources. Commonly, it's not realistic for small to mid-sized practices to have a dedicated HIPAA expert on staff. Practices often have limited resources that are focused on other priorities, and finding an individual who is proficient in HIPAA can be difficult. To lay the groundwork for reliable compliance, organizations should look for expertise outside the practice's four walls. This may entail outsourcing HIPAA compliance efforts or hiring a consultant or compliance lawyer to advise practice staff. There are also many available software options to guide people through detailed risk analyses and policy creation.

Conduct a gap analysis. The only way to know whether your organization is in compliance is to conduct a risk assessment or gap analysis. This will involve an in-depth review of current policies, visual observations of existing operations and conversations with staff members about how they maintain patient health information security. As part of this exercise, an organization may want to use a scoring mechanism to quantify potential shortfalls and pinpoint areas of focus. Again, leveraging the skills of an outside resource can be valuable.

Customize policies. Once an organization determines what policies are required through its gap analysis, it can consult the internet, software vendors or outside resources to find a starting point for policy development. It is important to note, however, that facilities should customize the policies to address their specific risks and needs, as well as document them for the practice. Specialty practices in particular cannot just adopt policies that are meant for primary care providers or hospitals. Customization is the best way to make sure that a practice is addressing its particular HIPAA policy needs.

Set up reminders. Once these three steps are completed, providers should not let their HIPAA compliance go stagnant. Instead, practices should review their policies and risk assessments at least annually, if not more frequently. Not only is this required, but it is also wise given how quickly things are changing in healthcare. To keep track of this activity, an organization may wish to set up a tickler file or some other reminder method.

Underpinning any good HIPAA compliance effort are strong policies and regular risk assessments. Organizations that commit to this work can ensure they preserve the privacy and security of patient health information and avoid the unpleasant situations that could result from a lack of attention and documentation.

The last article in this series will focus on improving HIPAA training, exploring ways to use information from risk assessments to inform staff education. 

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Capitol rotunda at sunset
Congress releases AI policy blueprint

Most Read

Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance
Epic APIs move to USCDI v3
Walgreens pays $100 million to settle class action drug case
HIMSSCast: Digital tools can leverage SDOH data and improve outcomes
Trump taps former Rep. Doug Collins to head VA
Lawmakers ask CDRH to revisit its CDS guidance

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care