Addressing everyday privacy, security, and breach notification concerns helps organizations protect patient data and avoid the financial and reputational consequences of HIPAA violations.
A study titled HIPAA Compliance: An Institutional Theory Perspective states, “Although industry surveys conducted post enforcement dates of HIPAA rules suggest low level of full compliance among US hospitals, industry experts agree that adhering to the HIPAA Privacy and Security rules are more than just about compliance, they make sound business sense.”
The Privacy Rule under HIPAA sets standards for the use and disclosure of protected health information (PHI).
HIPAA's Privacy Rule requires providing patients with a Notice of Privacy Practices (NPP). This document outlines how their PHI will be used and protected. However, the Department of Health and Human Services (HHS) has found that patients either do not receive an NPP or the notice provided is inadequate.
Go deeper: HIPAA's Notice of Privacy Practices requirements for healthcare providers
HIPAA instructs that healthcare providers grant patients access to their medical and billing information upon request. The information should be provided as soon as possible but no later than 30 days after the request. Charging a reasonable, cost-based fee for copies is allowed, but refusing to provide medical records due to unpaid charges is a HIPAA violation.
In the news: UnitedHealthcare settles with HHS over right of access violation
The Minimum Necessary Standard requires that healthcare providers only disclose the portions of medical records necessary for the intended purpose.
HIPAA compliant authorization forms are necessary for specific uses and disclosures of PHI. Using the appropriate authorization form and verifying that it includes all the required components is a fundamental requirement.
The Security Rule under HIPAA sets standards for safeguarding electronic PHI (ePHI).
A risk analysis assesses vulnerabilities and identifies areas where ePHI could be at risk. Be sure to act quickly to patch any vulnerabilities discovered in the analysis.
In the news: New York AG reaches settlement with home healthcare company
Data breaches resulting from lost or stolen devices, such as laptops, thumb drives, or cell phones, account for many HIPAA violations. Encrypting data on portable media devices can help mitigate the risk of unauthorized access to ePHI. Healthcare organizations should also ensure proper disposal of PHI to prevent breaches during media movement or disposal.
Regularly auditing and monitoring systems for intrusions is a requirement under the HIPAA Security Rule. Healthcare organizations should have policies and procedures in place for conducting audits and monitoring systems for any potential breaches.
To achieve compliance and prevent common HIPAA compliance issues, healthcare organizations and providers should undertake the following actions:
Go deeper: How to develop HIPAA compliance policies and procedures
Non-compliance with HIPAA can result in costly fines and financial penalties. While violations may be infrequent, the cumulative effect can have a significant impact on a healthcare organization's finances.
Go deeper: Understanding HIPAA violations and breaches
On March 29, 2024, the Office for Civil Rights (OCR) within the Department of Health and Human Services settled a HIPAA Right of Access violation with Phoenix Healthcare for $35,000. This marked the 47th such investigation by OCR that resulted in a financial penalty. The violation arose when Phoenix Healthcare, a multi-facility nursing care organization in Oklahoma, failed to provide a daughter, acting as her mother's representative, timely access to her mother's medical records.
Ultimately, OCR agreed to a settlement on the condition that Phoenix does not challenge the decision, revises its HIPAA policies, and conducts training on these policies for its workforce.
Read more: HHS settles investigation into Phoenix healthcare
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals' health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
Yes, you generally need patient consent to access and use their health information for the specified purpose, unless otherwise permitted or required by law.
You can use encrypted databases, secure communication channels, access controls, and other HIPAA compliant technologies to securely handle and store sensitive health data in compliance with HIPAA regulations.