The majority of healthcare organizations are still perplexed about HIPAA
According to the U.S. Department of Health and Human Services (HHS), about 70 percent of organizations are not compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA mandates industry-wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.
According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority.
To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.
1. Analyze the Past to Avoid Making the Same Mistake Twice
It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes:
• Impermissible uses and disclosures of protected health information.
• Lack of safeguards to protect health information.
• Lack of patient access to their personal health information.
• Lack of administrative safeguards on electronic protected health information.
• Use or disclosure of more than the minimum protected health information.
Protecting valuable data by analyzing past mistakes is an important step in the compliance process.
2. Perform a Risk Assessment and Gap Analysis
One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a gap analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization and puts it at a significantly higher risk. According to HHS and Office for Civil Rights (OCR) guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.
A HIPAA gap analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health records. Performance of the gap analysis also allows the organization to develop an audit response toolkit that includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.