Ensuring Compliance with the Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA) requires physicians, healthcare providers, and all others that qualify as “covered entities”  or “business associates” to comply with regimented patient privacy and security standards. Failure to fully comply with the law can result in an investigation by the Office for Civil Rights, leading to fines, penalties, and potential damages. This means the best solution for a covered healthcare entity is proactively auditing HIPAA compliance. The following are some key topics that are important for HIPAA compliance.

Risk Assessments.  All covered entities and business associates must conduct periodic risk assessments to identify potential risks to protected health information from a variety of threats, including threats from the environment, such as long-term power loss, chemicals, or pollution. Other threats that must be included in the assessment are intentional and unintentional human data breaches, human error, and natural disasters, such as floods, tornadoes, and earthquakes. The risk assessment must include a variety of information and clearly delineate the risk and potential impact from specific threats. In conjunction with the identification of threats, the risk assessment must demonstrate and outline safeguards implemented to mitigate the potential risk from the identified threats.

Privacy and Security Standards.  An easily overlooked issue pertains to the different standards between the requirements of the HIPAA Privacy Rule and the HIPAA Security Rule.  The HIPAA Privacy Rule requires a covered healthcare provider to have specific policies and procedures for health information disclosure and to distribute a Notice of Privacy Policy to patients.  These requirements are separate from the policies and procedures required by the HIPAA Security Rule.  Policies and procedures under the Security Rule relate to physical premises security, data encryption, and other electronic protection measures. The HIPAA Security Rule and the Privacy Rule require separate and distinct policies and procedures and should be evaluated individually.

On-Going Compliance. After HIPAA policies and procedures are adopted, on-going compliance requirements must not be overlooked.  For example, HIPAA compliance activities must be recorded, and records demonstrating implementation must be kept. Compliance with the Security Rule and the Privacy Rule must be periodically reviewed, with policies and procedures updated as circumstances warrant.

HIPAA has many pitfalls that a healthcare provider may fall victim to, even when that healthcare provider is attempting to comply with the law. This underscores the importance of taking proactive steps to audit HIPAA compliance and even seek outside counsel where appropriate to prevent unintentional miscues.

© 2015 Houghton Vandenack Williams
For more information, Contact Us