Five Frequently Overlooked Mistakes in HIPAA Compliance
Most healthcare entities have adapted to the major requirements imposed by HIPAA, HITECH, and the Privacy and Security Rules. Nevertheless, regulations still have a tendency to trip up the unwary. According to a recent article published by law firm Poyner Spruill LLP, Saad Gul and Michael Slipsky, here are the most frequent tripwires upon which covered entities and business associates regularly stumble:
1) Patient Access to Records: HIPAA requires both integrity and availability of records with a high level of confidentiality. Meaning, patients are entitled to their records, So, while this may prove to be a challenging conundrum, compliance programs must accommodate this legal reality.
2) Disclosure to Extent Necessary: HIPAA requires disclosure of health care records be minimized to the extent necessary to accomplish an objective. But, for practical purposes, a technical solution is not always available to achieve this ideal. For instance, some computer systems cannot be configured for every purpose. In such instances however, “extent necessary” must be accomplished by alternative means, such as administrative and procedural safeguards, which are heavily audited.
3) Fluctuating Employee Roles: Job functions continually evolve and access is rarely calibrated to fluctuating business needs. So, any compliance program needs to regularly reassess employee function versus access -- and must conform to current responsibilities.
4) Business Associate Safeguards: HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure. They also require that all Business Associates be bound to adhere to safeguards. Yet many covered entities overlook this requirement. If the Business Associate is unwilling to accommodate the requirement, the covered entity needs to evaluate the contractual arrangement, ensuring that it meets the identified security criteria, and document the basis for this determination.
5) Transitions During Practice Consolidation: The acquisition and consolidation of practices results in transition periods in which the successor entity has multiple sets of PHI records under multiple compliance regimes. The result is a program that is either incomplete, incompatible, or is otherwise deficient. This is a serious regulatory risk. While a seamless transition may not always be possible, incorporating compliance into the succession plan at the earliest possible stage is the prudent approach
For a complete audit of your practice's HIPAA compliance practices and safeguards, please contact HIPAAcraticRx. Each of the above pitfalls can be remedied. In compliance, as in medicine, an ounce of prevention is worth a pound of cure.