How healthcare organizations can prevent HIPAA violations.
While HIPAA is now a household term, healthcare organizations continue to face challenges when implementing HIPAA requirements. The HIPAA Privacy Rule contains over 50 standards and implementation specifications — generally, all of which must be addressed and implemented by a covered entity in policy and practice — and these regulatory standards are seldom clear.
In reviewing enforcement activities conducted by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), many of these challenges are similar and consistent across organizations. The healthcare function, the size and the geographic locality don’t seem to affect the routine gaps identified. But healthcare organizations can try to solve HIPAA problems only when they know where they exist. Here are five of the more common HIPAA compliance gaps.
While many organizations have implemented HIPAA policies and procedures, OCR found insufficient policies and procedures in nearly all of the enforcement activities that resulted in a resolution agreement in 2018. A majority of resolution agreements require the covered entity to implement, revise or distribute policies and procedures addressing Privacy Rule requirements.
Covered entities must take care to implement (i.e. create, distribute and train workforce members) policies and procedures that address all applicable HIPAA requirements. They must also be tailored to the unique processes and practices of the organization. An organization’s privacy policies cannot be off-the-shelf templates. Workforce members unsure of a practice or organizational position should be able to quickly obtain and review the organization’s written policy on the issue.
The Privacy Rule requires a covered entity to train its workforce on the policies and procedures required by HIPAA, as necessary and appropriate for the members of the workforce to perform their jobs. In nearly all of the enforcement activities that resulted in a resolution agreement in 2018, OCR mandated training for the organization’s workforce as well as documentation (evidence) of the training provided.
While the Privacy Rule requires covered entities to train their workforce within a reasonable period of time after a person joins, a best practice is to provide training shortly after hiring — usually within 30 days. Annual training and training tied to sanctions should be performed and documented. Other training methods should be employed, such as frequent short updates or newsletters to keep privacy at the forefront of the workforce’s mind.
During 2017 and 2018, OCR investigated both covered entities and business associates due to noncompliant and/or missing BAAs. A covered entity or business associate must always enter into a valid BAA with a vendor that creates, receives, maintains or transmits protected health information (PHI) on its behalf.
Based upon the regulatory requirements and enforcement activities by OCR, it is imperative that covered entities and business associates conduct the following: confirm valid BAAs are in place, when required; verify that executed BAAs contain all required provisions, including ensuring anyone who engages with vendors is trained to identify when a BAA is required; and maintain an accurate, current inventory of all business associates and BAAs.
The Privacy Rule requires covered entities to both limit uses and disclosures of PHI to the “minimum necessary” and implement appropriate administrative, technical and physical safeguards to protect the privacy of PHI. A covered entity risks an investigation and/or enforcement action if it has not implemented policies and procedures that prohibit workforce members from accessing PHI without a valid purpose and requires termination of access privileges upon employee separation.
In a paper world, it may have been challenging for organizations to know when someone accessed PHI impermissibly or improperly viewed PHI. Now, covered entities are able to implement user access monitoring for e-PHI, which assists the organization in knowing when, where, how and by whom PHI was accessed. Upon learning of the impermissible access, the covered entity should take steps — outlined in policy — to terminate access, sanction the offending workforce member and, at a minimum, provide remedial training to that person.
In 2013, OCR revised the definition of a “breach” to require covered entities to perform a four-factor assessment when evaluating whether an impermissible acquisition, access, use or disclosure of unsecure PHI requires notification. Some covered entities revised policies, procedures and templates to address the revised definition and assessment standard. However, many organizations still use the prior, outdated approach when assessing incidents.
In addition, the Breach Notification Rule requires notification to the affected individuals, OCR and possibly media no later than 60 days after discovery of a breach. Failure to timely notify can have serious consequences, including OCR enforcement and monetary penalties.
In learning from the mistakes of others, covered entities should: review current policies and practices to confirm terms are defined properly; confirm breach assessments use the current, four-factor methodology; confirm template notification letters contain all required content; and confirm notification is to all appropriate parties in a timely manner.
While no covered entity or organization will always address HIPAA requirements perfectly, some of these steps can help avoid common compliance gaps and minimize the potential risk of an investigation or enforcement action.
Marti Arvin, J.D., executive advisor, and Andrew Mahler, J.D., manager of privacy services, work for CynergisTek.
Get the best insights in healthcare analytics directly to your inbox.