8 HIPAA Compliance Mistakes, And How To Avoid Them
HIPAA compliance isn’t easy to handle on your own. Even when you have a plan in place, mistakes are extremely common, and can be expensive when they result in noncompliance fines. Are you making any of these critical errors?
HIPAA compliance is not an entirely straightforward process. Compliance is complex, and there is a critical element of assessment and planning that needs to go into your compliance strategy. HIPAA compliance has a long list of requirements, and overlooking even a single one can mean serious consequences for your business.
8 HIPAA Mistakes You Might Be Making
By learning to avoid these most common HIPAA mistakes, you can eliminate the vast majority of compliance risks:
1. Human Error
It doesn’t matter which types of technical safeguards you have in place if your staff doesn’t know their role in compliance. You would be surprised how often staff members mishandle records – leaving a patient file in hard copy in a waiting area or open on a visible workstation screen.
An effective HIPAA compliance plan has to teach your staff how to handle a range of potential situations:
How to participate in compliance best practices
How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
How to use business technology without exposing patient data and other assets to external threats by accident.
How to respond when you suspect that your organization is noncompliant.
2. Cloud Compliance
The cloud can play an important role for both providers and patients in healthcare organizations. But that doesn’t mean you should just dive in without double-checking how it will affect your organization. After all, you have your HIPAA compliance to think of – how will your compliance be affected once you’ve moved your electroni Protected Health Information (ePHI) into the cloud?
In fact, the OCR has released cloud computing guidelines to help organizations stay compliant. They require that organizations make sure the cloud offers viable system availability, has a data backup solution in place, and proper security measures.
Remember – The easier it is for you to access ePHI, the easier it is for cybercriminals to do so as well. Don’t make the mistake of assuming that just because you’re not a major hospital or more active medical practice that you aren’t a potential victim – data is data.
3. Don’t Forget About State Privacy Laws
A key error many organizations make is thinking that since they’re HIPAA compliant, that’s all they need to worry about. However, depending on where you operate, you may also be subject to state-level data privacy laws.
In the case of Tennessee, however, healthcare organizations fall under a safe haven clause. If you’re subject to HIPAA, you do not have to comply with Tennessee’s state data privacy and breach notification laws, last updated in 2016.
4. No Complaint Procedure
While you may not want to, you’re required to give your patients a method by which to lodge complaints about the protection (or lack thereof) of their medical data. You need to have a formal way for patients to make a complaint and a documented process for investigating and potentially validating the claim.
5. No Privacy Notices
Under HIPAA, you’re required to send privacy notices to patients, detailing how their data is stored and used. Anytime these uses change, you must send an updated privacy notice. This must be done 60 days in advance of any changes to the process.
6. No HIPAA Insurance
Operating in the healthcare industry without HIPAA insurance is like playing with fire. Despite your best efforts, you can never know for sure that you’re fully compliant. What are you going to do when you’re hit with a massive fine?
But that’s not the case. The OCR is just as willing to investigate your minor data breach as they are major ones like Anthem’s. Frensenius Medical Center was handed a $3.5 million fine after five data breaches, each of which affected fewer than 300 patients.
That’s why HIPAA insurance is such a wise investment. At the very least, it will help to cover costs of investigation and response to claims.
7. Oral Privacy Concerns
Just as a careless staff member can risk your compliance by leaving a file open and accessible to the public by accident, you assume the same risk every time a medical professional talks openly about a patient where they may be overheard. It’s forbidden to orally discuss the patient’s care in a situation where the identity of the patient can be known by other parties. Make sure to uphold best practices at your healthcare organization, reminding staff members only to discuss patient info in private.
8. Trying To Handle HIPAA On Your Own
As you well know, HIPAA compliance is a massive undertaking, with many obstacles and complications involved. Why would you try to manage it without expert help?
The Kraft Technology Group team understands how complicated HIPAA compliance is, and that organizations of your size need to focus their available personnel on treating patients. That’s why we’ll handle your HIPAA compliance for you.
When you choose to work with us, we will:
Conduct a risk assessment to identify gaps between your existing security measures and compliance requirements.
Implement the proper technical safeguards to address gaps and secure electronic protected health information.
Assist in creating the policies and procedures needed to keep your staff operating in a way that’s compliant at all times.
Want to double-check your HIPAA compliance right now? Download our HIPAA Compliancy Checklist here.
Like this article? Check out the following blogs to learn more:
Brian Gray, MCP, is the President at Kraft Technology Group, LLC (KTG), an affiliate of KraftCPAs PLLC. Within his role, Brian is responsible for all aspects of service delivery to our clients. Brian has a decade of experience working for managed service providers. He has worked with clients in a variety of industries, including financial services, accounting, legal, healthcare, manufacturing, and retail.