Healthcare News & Insights

30% of providers don’t know HIPAA regs, audits show

courtroom-detailHIPAA audits conducted last year found hospitals were committing a number of violations. The most common reason: They weren’t familiar with what the law requires.

That’s the message in a recent analysis of HIPAA audits that were conducted on behalf of the U.S. Department of Health and Human Services (HHS) in 2012.

Accorded to the report published by HHS’s Office of Civil Rights (OCR), during the 115 audits conducted last year, 980 problems were discovered. Just 13 of the organizations audited (11%) had no issues reported.

The issues uncovered by the audits had a number of reported causes, including a lack of resources, incomplete implementations and willful disregard for HIPAA requirements.

However, the most common cause behind the behind the violations discovered was that the organizations were simply unaware of the laws requirements, according to OCR’s analysis. Ignorance of the rules was blamed for 30% of the issues found.

The bottom line: By not knowing what’s required, many hospitals are leaving themselves to compliance costs for HIPAA violations and the potential risk of data breaches. Beyond finds from the feds, stolen patient data can result in damaged reputations, loss of income and even lawsuits from affected individuals.

What parts of HIPAA caused the most problems for hospitals and other organizations? According to OCR, the top elements were:

1. Notice of Privacy Practices

Providers must offer patients a notice of the organization’s practices to keep their information private, as well as their rights when it comes to keeping the health data confidential.

The notice should describe how the provider can use and disclose protected health information (PHI) and the organization’s legal obligations to protected patient data, as well as how patients can complain if they feel their privacy has been violated. The document must be provided to any person who asks for it and posted on any website the provider has with information about its services.

2. Risk Analysis Requirements

HIPAA requires all covered entities to conduct an “accurate and thorough” assessment of the risks to the security and privacy of their patients’ electronic information.

While there’s no one-size-fits-all plan for what makes a thorough risk assessment, HHS recommends that organizations:

  • Identify all the electronic PHI stored and created by the organization and where it’s held
  • Identify all e-PHI sent to third parties
  • Consider not just technical threats such hacking attacks but physical threats as well (such as the theft of computing devices), and
  • Periodically review and update the risk assessment.

3. Individuals’ Access to Their PHI

HIPAA gives patients to right to ask for their own health information and requires hospitals to respond to those requests in a timely manner.

However, the law requires organizations to have procedures in place to verify the identity of the person making the request and forbids them from handing over information without the proper verification.

4. Minimum Necessary Requirement

HIPAA requires hospitals and other organizations to limit access to patients’ information to only what is necessary to effectively treat the patient.

Hospitals must create written policies and procedures appropriate for their own organizations. The rules should specify which employees within the hospitals are allowed to access which categories of data, as well as outline criteria and protocols for responding to requests for information.

The Minimum Necessary standard doesn’t apply when:

  • Another provider needs information for treatment purposes
  • Patients request their own information
  • Someone authorized by the patient requests the information
  • Uses or disclosures are required under HIPAA’s Administrative Simplification Rules
  • Disclosures to the HHS are required under the Privacy Rule for enforcement purposes, and
  • Uses or disclosures are required by another law.

5. Authorizations for Use and Disclosure

Hospitals need to get patients’ written authorization before disclosing or using their information other than for treatment, payment or other care-related purposes or as required by the law.

Some examples of uses and disclosures that require authorization include disclosing the results of a physical or lab test to a patient’s employer, and using patients’ information for marketing purposes.

6. Media Movement and Disposal

When hospitals dispose of patient information, they must take steps to make sure it can’t be recovered and access by unauthorized people — and that includes electronic information.

For paper records, that usually means shredding documents. For electronic data, hospitals should use special software to fully wipe information off of computers and disk drives, or physically destroy the drives.

7. Audit Controls and Monitoring

HIPAA’s security rule requires to hospitals to use tools to monitor their networks for suspicious activity — for example, the organization should be able to check records of log-in attempts to see if employees have attempted to view information they aren’t authorized to access.

In addition, hospitals should periodically audit their security practices to see if they are leaving data open to any unnecessary threats.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

css.php