01/31/2023

HIPAA compliance programs can be tricky for providers and covered entities, regardless of size. I discovered this first-hand late last year when my wife called to set up her own appointment with a provider I also visited. As soon as my wife gave her information, the assistant on the other end of the line recognized our shared last name and proceeded to discuss my scheduled appointments with her.

Intentional or not, this provider just committed a HIPAA violation, as my wife was not on my Protected Health Information (PHI) disclosure list. While there was no real damage done, such incidents serve as a cautionary tale for how easy it is for breaches to occur. This incident also introduces a larger question: How do covered entities create an effective HIPAA compliance program, despite a growing market for PHI and increasing security challenges in an ever-changing healthcare landscape? To answer this, first, we need to understand the risk.

UNDERSTANDING YOUR RISK FOR HIPAA VIOLATIONS IN THE INFORMATION AGE

If you’re a provider or covered entity placing their HIPAA compliance on the back burner, you aren’t alone. As of November 2022, HHS noted 68% of their investigated complaints found HIPAA-required entities that were not HIPAA compliant. While the penalties for noncompliance vary depending on a number of factors, the potential risk for violations has grown with a burgeoning information market for PHI. 2021 was a record year in HIPAA violations nationwide due to multiple risk factors, including:

1. The adoption of remote work and telehealth. As remote work has flourished, so too has access to PHI shared across unsecured networks or with third parties. Team members working from home often lack the physical and digital safeguards of offices. Meanwhile, telehealth provides more avenues for information to be stolen electronically.

2. The rise in patient demands for PHI. Patients are demanding greater access to their health data. What used to require a phone call or in-office visit can now, largely, be shared digitally. With this change, opportunities for potential violations have increased.

3. The failure to establish compliance agreements with businesses associates. Not all covered entities are providers, but everyone who has access to PHI is required to keep it safe. Often, business associates that partner with providers or institutions have access to PHI, but the business agreement itself isn’t HIPAA compliant. If one of these business associates suffers a breach, the provider or partner institution is liable.

4. The incentive for bad actors to intercept PHI. Individual healthcare records are now worth hundreds of dollars on the dark web. This has created a powerful incentive for hackers to secure this data. This contributes to a growing number of cybersecurity threats, including ransomware attacks.

What used to require a phone call or in-office visit can now, largely, be shared digitally. With this change, opportunities for potential violations have increased.

BUILDING THE FRAMEWORK FOR YOUR HIPAA COMPLIANCE PROGRAM

Generally, there are three key areas behind HIPAA compliance:

  • Administrative Policy & Procedural Safeguards: This includes policies procedures, training, and a dedicated compliance department to ensure that all team members are following HIPAA compliance practices.
  • Physical Safeguards: This includes protection against physical PHI breaches, such as the theft of hardware or files.
  • Technical Safeguards: This includes digital safeguards, such as the encryption of electronic PHI.

While the need for a three-pronged approach is warranted, for this blog we will focus on what is, surprisingly, the largest soft spot for HIPAA violations across covered entities: making the organizational shift to robust administrative and procedural safeguards.

MAKING YOUR ORGANIZATIONAL SHIFT TO HIPAA COMPLIANCE

1. Establish a HIPAA champion. For most organizations, this individual is the compliance or privacy officer who supervises and enforces the HIPAA policy and training. Larger organizations may have significant staff and resources devoted to this role, while smaller entities may simply assign this role part-time to a team member. Regardless of the number of people involved, establishing this champion, or these champions, is a crucial first step to ensuring entity-wide compliance.

2. Develop policies and risk assessment practices in accordance with OCR and HHS guidelines. Regular assessments are a part of all three fronts of HIPAA compliance, but risk assessments related to administrative safeguards involve auditing an entity’s security management process for PHI, access protocols for information management, and workforce training. Once policies and procedures are in place, it’s time to establish a plan to roll out and train your team members and determine a schedule for regular audits and assessments.

3. Train your workforce. Now that policies and procedures are in place, it’s time to create a training plan. The effectiveness of these training plans relies on your compliance officer’s or department’s commitment to remaining current on HIPAA regulations. Some entities make the mistake of conducting HIPAA compliance training once a year, or only as a part of onboarding. While we encourage you to conduct initial training of your policies and procedures as a part of the onboarding process, regular training and reminders will ensure that HIPAA stays top-of-mind for everyone at the organization.

4. Create a maintenance plan for ongoing training and education. HIPAA compliance and the threats it faces are constantly evolving, so your approach must evolve as well. We’ve already discussed the importance of regular audits, which are a part of any maintenance plan, but regular training is just as important. Often, annual training is not enough; quarterly training about the responsibilities of individual team members and their role in potential violations is crucial. Think we’re overstating the issue? Investigations into compliance found that less than 78% of employees for covered entities have a basic understanding of privacy and security laws related to PHI and HIPAA. Your training should cover a plan to address access controls, security risks, and anything your compliance officer defines as crucial. Ongoing maintenance should include regular tests for employee compliance as a part of an audit. Offering incentives for compliance training is just one way in which you can ensure your long-term training protects against breaches made by your personnel.

NEED GUIDANCE CHARTING YOUR PATH TO COMPLIANCE? WE CAN HELP.

Whether you are an established covered entity, or a small provider office new to navigating the ins and outs of HIPAA compliance, Sendero can equip you with the tools to face the challenge head-on. Fill out the form below to connect to a consultant and start the conversation about PHI security in your organization.

By Chris Scoggins

EXPLORE OUR HEALTHCARE EXPERIENCE EXPLORE OUR WORK

More Case Studies

Learning Management System for a Healthcare Provider

A large nonprofit healthcare system selected Cornerstone as their new Learning Management System (LMS) to better support a large training effort that preceded an Electronic Health Record (EHR) system implementation.

Optimizing a Provider Directory for a Healthcare System

After a healthcare system went through a merger, they launched a project to consolidate Find a Doctor websites to improve the patient experience.

PCI Compliance for Healthcare System

A large healthcare system was notified that it is now required to report compliance as one entity, rather than separate small business units. Through existing relationships, the client learned of Sendero's experience with PCI Compliance and requested assistance.

Access Tool Implementation for an EMR at a Healthcare System

After the merger of two large Texas-based healthcare systems, a need existed to change to one electronic medical record (EMR) system across the enterprise.

Related Practice Areas

Systems Implementation
Systems Implementation
Project Management Office
Project Management Office

ABOUT THE AUTHOR

Chris Scoggins

Chris is a Manager in our Dallas office with industry experience in utilities and healthcare.

HIPAA compliance and the threats it faces are constantly evolving, so your approach must evolve as well.

Related Posts

Operationally Efficient Nurse Staffing Models

Recently, these Senderoans were catching up over a cup of coffee and discussed some of the key challenges they faced during their time working in the clinical setting. To their surprise, they found many similarities in the themes they shared, though working within different roles in different healthcare organizations. A deeper conversation surrounding the various nurse staffing models led to further review and study of the topic.

Continue To Post
Building the Hospital of the Future: Laying the Foundation for Innovative Technology in Healthcare

As the pace of change continues to accelerate, how can you plan for technology in healthcare that doesn't exist today? To ensure your people and processes are ready, these building blocks can help lay the foundation for your hospital of the future.

Continue To Post
The Symptoms of Change Fatigue and the Cure to Solve It

Healthcare professionals are getting stressed and burned out. Much of this can be attributed to change fatigue.

Continue To Post
Patient Value Versus Volume: Pairing Home Health Care with Distributed Care

With the shift to patient outcomes being the main driver in Healthcare, providers should consider the benefits of pairing Home Health Care & Distributed Care to achieve optimal consumer satisfaction. Enabling technology is at the core of being successful at both. Learn how enabling technology can help providers pave the path for the 'Value Agenda' to transform the patient experience.

Continue To Post
Proactive Patient Care - It Takes More Than an Apple a Day

By focusing on managing and leading the transformation to a proactive healthcare organization, you can position your people and processes to meaningfully adopt a new standard of patient care.

Continue To Post

Drop Us A Line

Close Button