By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    mosquito misting spray to fight malaria
    Avoid Malaria with Mosquito Misting Systems
    June 12, 2023
    Medical Surveys
    Beyond the Clinic: Medical Surveys Are a Roadmap to Passive Income for Doctors
    September 23, 2023
    Glutathione
    What Are The Benefits of Glutathione?
    January 22, 2024
    Latest News
    6 Easy Healthcare Ways to Sit Less and Move More Every Day
    September 10, 2025
    7 Most Common Healthcare Accreditation Programs: Which Should You Use?
    August 20, 2025
    Hospital Pest Control and the Fight Against Superbugs
    August 20, 2025
    Hygiene Beyond The Clinic: Attention To Overlooked Non-Clinical Spaces
    August 13, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Tips for Older Travelers
    April 14, 2012
    Anti-RUC Suit Challenges Process for Setting Doc Pay Scales
    October 25, 2011
    Math Matters: Dosing Errors Can Be Deadly
    May 1, 2012
    Latest News
    Healthcare at a Crossroads: Why Leadership Matters More Than Ever
    September 9, 2025
    How Social Security Disability Shapes Access to Care and Everyday Health
    August 22, 2025
    How a DUI Lawyer Can Help When Your Future Health Feels Uncertain
    August 22, 2025
    How One Fall Can Lead to a Long Road of Medical Complications
    August 22, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: HIPAA Privacy and Security Compliance: Should You Care?
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Health Reform > HIPAA Privacy and Security Compliance: Should You Care?
Health ReformMedical RecordsPolicy & LawPublic Health

HIPAA Privacy and Security Compliance: Should You Care?

David Harlow
David Harlow
Share
7 Min Read
SHARE

Open doorThe HIPAA/HITECH Omnibus Rule became effective just over one year ago.

Open doorThe HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

There are innumerable clinical, financial and compliance issues to be concerned about in this watershed era for the American health care system. However, do not forget about HIPAA.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices. BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; Covered Entities are now explicitly liable for the HIPAA compliance of their Business Associates.

More Read

healthcare technology
5 Underrecognized Technological Breakthroughs in Healthcare
How is Gaming Changing the Landscape in Health Care? Part 1 | Fabio Gratton, Ignite Health
Healthfinder.gov: Education or Indoctrination?
CMS Proposed Payment Changes for Outpatient Procedures
Lankford Introduces Legislation Giving Congressional Authority to Interstate Health Care Compact

What does this mean in practice?

1.Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2.Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3.Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4.Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements — to say nothing of the attendant negative publicity — may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

This post first appeared on The Doctor Blog.

TAGGED:HIPAApatient data
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

a woman walking on the hallway
6 Easy Healthcare Ways to Sit Less and Move More Every Day
Health
September 9, 2025
Clinical Expertise
Healthcare at a Crossroads: Why Leadership Matters More Than Ever
Global Healthcare
September 9, 2025
travel nurse in north carolina
Balancing Speed and Scope: Choosing the Nursing Degree That Fits Your Goals
Nursing
September 1, 2025
intimacy
How to Keep Intimacy Comfortable as You Age
Relationship and Lifestyle Senior Care
September 1, 2025

You Might also Like

Southern US Starts to Shun Smoking

July 24, 2012
Image
eHealthHealth ReformTechnology

Dealing with the Growing Power of “Medical Googlers”

November 8, 2012
ACOs
Health ReformHospital Administration

ACOs and Patient Safety: Dos and Don’ts: Video

May 15, 2012

The Ambulatory Long Block: Resident Training in a High-Functioning Clinical Microsystem

June 19, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?