Five Stumbling Blocks Hinder HIPAA Compliance

Failure to conduct compliance audits. The Security Rule calls it an evaluation, but it's really a compliance audit, says Apgar. Organizations need to conduct an annual compliance audit and also should conduct periodic audits, including an information systems activity review. "It's not happening in organizations. They either have never done it or don't do it on a consistent basis," says Apgar.

Lack of disaster recovery planning and emergency mode operations. Organizations either don't have a plan or it is out-of-date. Or the plan may focus only on how the organization will get its computers back up and running during an emergency. But consider a hypothetical situation; there is a flu pandemic and most of your staff members are out sick. The computers are running, but you haven't addressed how to keep your business going while trying to recover from this type of emergency. So don't focus only on technology during disaster planning. You need a business continuity plan that addresses all aspects of coping with a disaster or emergency.

So where should you begin to ensure compliance with all current regulations?

Focus first on the risk analysis and compliance audit because they "will show you where the holes are" and where your specific organization is lacking, says Apgar.