Recent Buck survey finds HIPAA compliance lacking for health plan sponsors

healthcare orgs not staying hipaa compliant illustration

A 2019 Buck HIPAA Readiness Survey verifies that health plan sponsors still struggle with HIPAA compliancy.

Buck researchers were interested in addressing the industry’s adherence to HIPAA in conjunction with an overall increase in enforcement and investigation by the U.S. Department of Health and Human Services (HHS).

The results were alarming.

Survey Results

Conducted in April/May 2019, the findings—particularly regarding risk assessment, business associates, employee training, and breach notification—demonstrate not only a lack of compliancy but a lack of understanding as well.

One-third of survey respondents were unsure when their organization last performed a risk/threat assessment; an additional 10% (42% total) thought the last assessment was more than five years old.

Astonishingly, only 39% updated their security policies and procedures within the last year; employee training followed the same trend.

35% of respondents last offered training one to five years ago while 13% stated their organization only provides training when an employee first starts; 10% weren’t even sure when it was last provided.

Similarly, 33% either have not inventoried their business associates (BAs) or were uncertain if an inventory was ever done.

16% were even unsure if they had current business associate agreements (BAA) written up while 3% knew that no current agreement existed.

Finally, while about three-quarters of the respondents surprisingly had breach notification policies in place, 10% unfortunately had no such policy; 16% were unsure.

What can we learn

The results should be a warning to the health industry as the numbers demonstrate that only about half of the respondents are HIPAA compliant in some shape or form.

RELATED: HIPAA Compliant Email: The Definitive Guide

It is essential for all health organizations to learn, understand, and implement HIPAA regulations, not only for patient privacy but to safeguard themselves.

Organizations must build policies and procedures to address each aspect of HIPAA; then they must efficiently communicate, follow, and monitor them.

Updates must occur after regulation changes, organizational developments (whether technological, environmental, or business-related), and violations or breaches.

Finally, organizations must perform (and test continuously) risk/threat analyses and employee training.

Having a strong security program and implementing technology like Paubox’s HITRUST CSF certified solutions provide the protection needed within an industry with such sensitive data.

Try Paubox Email Suite for FREE today.

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization's security with state-of-the-art email encryption and inbound email security.

Highest rated HIPAA compliant messaging solution on G2

EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport
EmailEncryption BestMeetsRequirements MeetsRequirements
SecureEmailGateway MostImplementable Total
SecureEmailGateway Leader Leader
SecureEmailGateway EasiestToUse EaseOfUse
SecureEmailGateway EasiestAdmin EaseOfAdmin
SecureEmailGateway BestUsability Total
SecureEmailGateway BestResults Total
SecureEmailGateway BestRelationship Total
EmailEncryption UsersMostLikelyToRecommend Nps
EmailEncryption MomentumLeader Leader
SecureEmailGateway BestSupport Mid Market QualityOfSupport