Weber & Nelson Law Office, PLLC
Minnesota Health Law Attorneys

Less than a third of healthcare organizations are HIPAA compliant

| Jun 6, 2019 | Uncategorized

Every medical professional knows the importance of protecting health care information. But not every professional may be great at implementing security measures.

According to the Department of Health and Human Services (HHS), about 70% of all U.S. healthcare organizations are not compliant with the Health Insurance Portability and Accountability Act (HIPAA).

Why are so many organizations noncompliant?

Non-compliance with the HIPAA can result in hefty fines and even criminal charges. It is strange then, that most healthcare organizations are not compliant with HIPAA regulations.

With today’s high-tech methods of communication and data storage, cyber security is no simple task. Changing threats and regulations requires health professionals to remain constantly vigilant. Here are three steps that healthcare organizations can take to prevent a violation:

1. Look at previous mistakes

One of the first steps that healthcare organizations should take is to make note of common issues that HIPAA security reviews have flagged in the past. According to these reviews, there are a number of violations that frequently occur. These include:

  • Impermissible uses and disclosures of health information
  • Absence of proper safe guards for health information
  • Patient inability to access their own health information
  • Absence of administrative safe guards

2. Conduct risk and gap analyses

A risk analysis is a process that identifies factors that may present a risk to an organization. In the context of HIPAA compliance, health care organizations should identify risks regarding the integrity of health information.

Furthermore, organizations can use a HIPAA gap analysis to compare their information security’s health compared to HIPAA standards. Doing so will help expose any weaknesses in a security program.

3. Make an action plan

During an audit, the HHS’ Office for Civil Rights (OCR) will conduct an initial review of the organization, and then create a final report. Only the final report is reviewed for determining if there is a violation with the HIPAA.

After the initial review, the OCR will send the healthcare organization a copy of its preliminary findings, giving them a chance to respond. Responses made to any concerns raised by the OCR will be recorded in the final report.

Having an action plan in place can prepare organizations to be better prepared for dealing with any discrepancies that may come up during an audit. Doing so can save an organization from violating HIPAA guidelines.