Common HIPAA compliance issues and concerns

Addressing everyday privacy, security, and breach notification concerns helps organizations protect patient data and avoid the financial and reputational consequences of HIPAA violations.

A study titled HIPAA Compliance: An Institutional Theory Perspective states, “Although industry surveys conducted post enforcement dates of HIPAA rules suggest low level of full compliance among US hospitals, industry experts agree that adhering to the HIPAA Privacy and Security rules are more than just  about  compliance, they make sound business sense.”

Privacy rule concerns

The Privacy Rule under HIPAA sets standards for the use and disclosure of protected health information (PHI).

Improper notice of privacy practices

HIPAA's Privacy Rule requires providing patients with a Notice of Privacy Practices (NPP). This document outlines how their PHI will be used and protected. However, the Department of Health and Human Services (HHS) has found that patients either do not receive an NPP or the notice provided is inadequate.

Go deeper: HIPAA's Notice of Privacy Practices requirements for healthcare providers

Timeliness and cost of providing medical records

HIPAA instructs that healthcare providers grant patients access to their medical and billing information upon request. The information should be provided as soon as possible but no later than 30 days after the request. Charging a reasonable, cost-based fee for copies is allowed, but refusing to provide medical records due to unpaid charges is a HIPAA violation.

In the news: UnitedHealthcare settles with HHS over right of access violation 

Providing only relevant medical record information

The Minimum Necessary Standard requires that healthcare providers only disclose the portions of medical records necessary for the intended purpose.

Authorization issues

HIPAA compliant authorization forms are necessary for specific uses and disclosures of PHI. Using the appropriate authorization form and verifying that it includes all the required components is a fundamental requirement. 

Security rule concerns

The Security Rule under HIPAA sets standards for safeguarding electronic PHI (ePHI).

Maintain a current risk analysis

A risk analysis assesses vulnerabilities and identifies areas where ePHI could be at risk. Be sure to act quickly to patch any vulnerabilities discovered in the analysis. 

In the news: New York AG reaches settlement with home healthcare company

Lost or stolen data

Data breaches resulting from lost or stolen devices, such as laptops, thumb drives, or cell phones, account for many HIPAA violations. Encrypting data on portable media devices can help mitigate the risk of unauthorized access to ePHI. Healthcare organizations should also ensure proper disposal of PHI to prevent breaches during media movement or disposal. 

Audit and monitoring

Regularly auditing and monitoring systems for intrusions is a requirement under the HIPAA Security Rule. Healthcare organizations should have policies and procedures in place for conducting audits and monitoring systems for any potential breaches. 

Summary of HIPAA compliance best practices

To achieve compliance and prevent common HIPAA compliance issues, healthcare organizations and providers should undertake the following actions:

• Regularly update the Notice of Privacy Practices to reflect changes in how PHI is used and disclosed.
• Use HIPAA compliant email whenever transmitting PHI.
• Respond to medical record requests promptly, within the 30-day timeframe mandated by HIPAA.
• Limit the use and disclosure of PHI to the minimum necessary for the intended purpose.
• Use HIPAA compliant authorization forms.
• Conduct and maintain a current security risk analysis to identify vulnerabilities.
• Encrypt data on portable media devices and ensure proper disposal of PHI.
• Regularly audit and monitor systems for intrusions to prevent unauthorized access to ePHI.
• Train staff on the steps to take in the event of a HIPAA-related complaint.

Go deeper: How to develop HIPAA compliance policies and procedures 

Potential damages

Non-compliance with HIPAA can result in costly fines and financial penalties. While violations may be infrequent, the cumulative effect can have a significant impact on a healthcare organization's finances. 

Go deeper:  Understanding HIPAA violations and breaches

In the news

On March 29, 2024, the Office for Civil Rights (OCR) within the Department of Health and Human Services settled a HIPAA Right of Access violation with Phoenix Healthcare for $35,000. This marked the 47th such investigation by OCR that resulted in a financial penalty. The violation arose when Phoenix Healthcare, a multi-facility nursing care organization in Oklahoma, failed to provide a daughter, acting as her mother's representative, timely access to her mother's medical records. 

Ultimately, OCR agreed to a settlement on the condition that Phoenix does not challenge the decision, revises its HIPAA policies, and conducts training on these policies for its workforce.

Read more: HHS settles investigation into Phoenix healthcare 

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals' health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

Do I need patient consent to access and use their health information for the specified purpose?

Yes, you generally need patient consent to access and use their health information for the specified purpose, unless otherwise permitted or required by law.

What tools and technologies can be used to securely handle and store sensitive health data in compliance with HIPAA regulations?

You can use encrypted databases, secure communication channels, access controls, and other HIPAA compliant technologies to securely handle and store sensitive health data in compliance with HIPAA regulations.