Skip to main content

Five Stumbling Blocks Hinder HIPAA Compliance

 |  By dnicastro@hcpro.com  
   February 03, 2010

When Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR, conducts audits of healthcare organizations, he usually finds problems in five areas.

Many organizations are focusing on the new privacy and security requirements created by the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, they also must measure their overall compliance with HIPAA requirements already on the books, says Apgar.

Facilities and organizations considering what to do next should concentrate on compliance in these five areas, says Apgar:

Lack of a risk analysis. Organizations either haven't conducted a risk analysis or, they last conducted one in 2005 when the HIPAA rule became final, he says. A risk analysis is "the foundation for your security program," he says. "You need that to build on."

Undocumented policies and procedures. Organizations may be doing the right thing, but they haven't documented it in their policies and procedures, he says. Less frequently, organizations do not follow proper procedures and don't have anything in writing.

Lack of training. Organizations may train new staff members, but many don't provide ongoing training, or the training they offer is often out-of-date, he says.

Failure to conduct compliance audits. The Security Rule calls it an evaluation, but it's really a compliance audit, says Apgar. Organizations need to conduct an annual compliance audit and also should conduct periodic audits, including an information systems activity review. "It's not happening in organizations. They either have never done it or don't do it on a consistent basis," says Apgar.

Lack of disaster recovery planning and emergency mode operations. Organizations either don't have a plan or it is out-of-date. Or the plan may focus only on how the organization will get its computers back up and running during an emergency. But consider a hypothetical situation; there is a flu pandemic and most of your staff members are out sick. The computers are running, but you haven't addressed how to keep your business going while trying to recover from this type of emergency. So don't focus only on technology during disaster planning. You need a business continuity plan that addresses all aspects of coping with a disaster or emergency.

So where should you begin to ensure compliance with all current regulations?

Focus first on the risk analysis and compliance audit because they "will show you where the holes are" and where your specific organization is lacking, says Apgar.

Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.

Tagged Under:


Get the latest on healthcare leadership in your inbox.