By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    learn to recognize and treat yeast infections
    Most Commonly Asked Questions About Yeast Infections
    November 17, 2021
    Advanced lung cancer diagnosis systems used by doctors
    Advanced Lung Cancer Diagnosis Systems Used by Doctors
    March 6, 2022
    The Top Benefits of a Wearable Blood Pressure Monitor Watch
    The Top Benefits of a Wearable Blood Pressure Monitor Watch
    June 13, 2022
    Latest News
    Beyond Nutrition: Everyday Foods That Support Whole-Body Health
    June 15, 2025
    The Wide-Ranging Benefits of Magnesium Supplements
    June 11, 2025
    The Best Home Remedies for Migraines
    June 5, 2025
    The Hidden Impact Of Stress On Your Body’s Alignment And Balance
    May 22, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Chronic Disease Prevention Remains Top Priority
    September 9, 2017
    Worst Editorial of the Week Award
    September 13, 2017
    Are the Uninsured Getting a Free Ride?
    May 16, 2011
    Latest News
    Let Your Lawyer Handle the Work Before You Pay Medical Costs
    July 6, 2025
    Top HIPAA-Compliant Messaging Apps for Healthcare Teams
    June 25, 2025
    When Healthcare Ends, the Legal Process Begins: What Families Should Know About Probate and Medical Estates
    June 20, 2025
    Preventing Contamination In Healthcare Facilities Starts With Hygiene
    June 15, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: HIPAA Privacy and Security Compliance: Should You Care?
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Health Reform > HIPAA Privacy and Security Compliance: Should You Care?
Health ReformMedical RecordsPolicy & LawPublic Health

HIPAA Privacy and Security Compliance: Should You Care?

David Harlow
David Harlow
Share
7 Min Read
SHARE

Open doorThe HIPAA/HITECH Omnibus Rule became effective just over one year ago.

Open doorThe HIPAA/HITECH Omnibus Rule became effective just over one year ago. The compliance date was just over six months ago. Within about another six months (plus or minus), Federal regulators – at the Office for Civil Rights at the US Department of Health and Human Services – will begin a new round of HIPAA compliance audits. They are already actively involved in complaint investigations governed by the “new” HIPAA rules. Other Federal, state and territorial authorities are actively involved in HIPAA and related health data privacy and security enforcement activity: the Federal Trade Commission, the Secret Service, the Puerto Rico Health Insurance Administration, state attorneys general. The “Wall of Shame” on the OCR website adds information about newly disclosed data breaches on a regular basis. Fines under the new HIPAA rules may hit $1.5 million or more. Fines under other regulatory schemes have climbed significantly higher. Compliance agreements, follow-up audits and more await those covered entities (health care providers or payors) (CEs) or business associates (everyone else in the health care ecosystem – billing services, marketing agencies, consultants, shredding contractors, attorneys, accountants, etc.) (BAs) unfortunate enough to experience a lapse in their HIPAA compliance programs and to have occasion to file a breach notification, or to be the subject of a complaint investigation or random audit.

There are innumerable clinical, financial and compliance issues to be concerned about in this watershed era for the American health care system. However, do not forget about HIPAA.

Long before becoming covered entities under HIPAA, physician practices have been aware of their responsibilities regarding privacy and security of protected health information (PHI in HIPAA-speak). The HIPAA rules have added a layer of compliance requirements to a pre-existing landscape of patient records privacy laws. Some of the regulatory changes affect the ways in which physician practices may market to new and established patients, but many of the changes that took effect last year relate to the obligations of business associates – “downstream contractors” that deal in PHI on behalf of physician practices. BAs are now explicitly subject to the same compliance requirements applicable to CEs. And it is the responsibility of each CE to ensure that downstream contractors are doing what they are supposed to be doing in the realm of HIPAA compliance – or risk being held liable for the failings of their BAs. It is therefore a good time for physician practices to re-examine their HIPAA compliance plans, the scrutiny applied to their BAs’ HIPAA compliance programs, and their contractual agreements with BAs. The bottom line is, well, the bottom line; Covered Entities are now explicitly liable for the HIPAA compliance of their Business Associates.

More Read

obesity recognized as disease
New Weight Loss Drugs Come to Market as AMA Recognizes Obesity as Disease
FL Governor Scott Reverses Course on ACA Medicaid Expansion Provision
EHRs and Improper Billing: Should We Worry?
Leveraging Health IT to Strengthen Patient Engagement
Will Medicare Cover Telehealth?

What does this mean in practice?

1.Tailor-made compliance plans. Unlike other regulatory schemes, which envision compliance with specific rules and regulations, and allow for certification of compliance, HIPAA is a much looser construct. There are standards, but adherence with all of them is not mandatory. Some standards are “addressable” – which means that regulated entities may address certain regulatory concerns in ways other than full compliance with the methods outlined in the rule. The idea is that this is not a one-size-fits-all program; rather, HIPAA compliance programs need to be tailored to the privacy and security needs of an individual CE or BA.

2.Adoption of policies; review of policies and related documents. Privacy and security policies must be revised and updated on a regular basis, particularly in connection with a major regulatory overhaul such as the promulgation of the Omnibus Rule, but also on an annual basis. Grandfathered Business Associate Agreements (BAAs) should be reviewed for compliance with the new regulations as well. More and more CEs are looking for indemnification provisions in their BAAs. In the end, though, the indemnities are only as good as the BA’s HIPAA compliance program and insurance, both of which bear closer examination.

3.Workforce training. Once appropriate policies, agreements and insurance are in place, the workforce must be trained, and tested, on the HIPAA compliance material.

4.Risk assessments. Annual risk assessments – preferably handled by outside data security experts – must be conducted on an annual basis. A good risk assessment will uncover room for improvement even in an organization that is highly attuned to HIPAA compliance. Why? Because this is more of a continuous improvement exercise addressing evolving realities than it is check-the-box compliance with a static rule.

Are there things other than HIPAA compliance that demand investment of staff and other resources? Of course there are. But the costs associated with failing to invest appropriately in this realm can be significant. Multi-million-dollar fines and imposition of compliance monitoring agreements — to say nothing of the attendant negative publicity — may be devastating. It seems clear that the investment in HIPAA compliance is one that is likely to pay dividends over the years.

A well-developed, well-documented and well-implemented privacy and security policy, where training and testing of staff is documented, where key agreements are in place and easily producible for review when your friendly neighborhood government agent comes knocking, will go a long way towards minimizing potential sanctions when (not if) your organization experiences a breach of privacy or security of protected health information.

This post first appeared on The Doctor Blog.

TAGGED:HIPAApatient data
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

9 Lifestyle Tweaks That Can Add Years to Your Life
9 Healthcare Lifestyle Tweaks That can Add Years to Your Life
lifestyle
July 11, 2025
car accident lawsuit
Let Your Lawyer Handle the Work Before You Pay Medical Costs
Policy & Law
July 6, 2025
women dental care
What Is a Smile Makeover and How Much Does It Cost?
Dental health
June 30, 2025
HIPAA-Compliant Messaging Apps
Top HIPAA-Compliant Messaging Apps for Healthcare Teams
Global Healthcare Policy & Law Technology
June 25, 2025

You Might also Like

State Dental Commissions Protect Not Just Your Teeth; They Also Protect…Dentists

December 9, 2011
nfl concussion summit
NewsPolicy & Law

NFL Players Hosted Concussion Summit Week Before Super Bowl

February 17, 2014
antibiotics for a virus are always inappropriate
NewsPublic Health

Antibiotics for a Virus? How to Just Say No

March 27, 2012

Determining Paths of Research

October 26, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?