In the two decades since its original passage, complying with the federal Health Insurance Portability and Accountability Act (HIPAA) hasn’t gotten any easier. Enacted with the primary goal of protecting the confidentiality, integrity and availability of healthcare information, HIPAA presents daunting administrative, technological and financial burdens for health care organizations. The burdens are only becoming more acute as those organizations grapple with a shifting health care economy and, in many cases, constricting profit margins.
Nevertheless, compliance is vital. HIPAA violations carry serious monetary, reputational, and operational consequences — including, in extreme cases, jail time. And while universal compliance is easier said than done, understanding the biggest challenges and knowing where weaknesses originate are the best ways to avoid costly mistakes.
Challenges and mistakes
The HIPAA Security Rule requires covered entities to submit their policies and technical infrastructure for regular review, and to implement a comprehensive strategy to ensure the confidentiality, integrity and availability of electronic personal health information (ePHI) with respect to its storage and transmission. However, the rule itself does not provide any guidance on how to do this. While this affords each organization with the opportunity to determine what software would best suits its needs, it also increases the risk that the systems of various vendors will become incompatible with one another, resulting in the unencrypted transmission of ePHI between each of the incompatible solutions.
Human error also inevitably interferes with a company’s efforts to remain compliant. Mistakes can range from weak passwords to lost or stolen personal, unencrypted devices. In addition, basic lapses in judgment, like office gossip or shoddy due diligence on vendors, can result in disclosure of ePHI. However it happens, it’s a serious HIPAA violation.
Finally, while a well-designed compliance system and training program may be simple in theory, it is often much harder to implement in practice, especially as organizations continue to face ever-tightening budgets. We see many companies become vulnerable to HIPAA violations simply because they cannot stretch their resources far enough.
How to ensure compliance
As important as technology is for managing patient information, the best way to ensure continued compliance with HIPAA standards is to implement regular and comprehensive staff training. The human element cannot be overstated. It is critical that every organization properly and continually train and educate all personnel who have access to patient records in a way that is both applicable and appropriate for each functional role. It is also critical that all employees understand their obligations in securing information, and that they know what to do in the event of an incident.
Additionally, organizations need to ensure that all of their compliance instructions are delivered in plain English. Far too often, I see policies written in a way that only lawyers or some engineer could understand, which makes it much harder for any given employee to adhere to them. Taking the extra step to put all necessary information in clear, accessible language will go a long way toward helping users comply with the requirements.
Ultimately, as difficult and complicated as HIPAA compliance can be, any organization – from the sole provider to the largest system – should never lose sight of three key steps:
- identify the types of information present, how it is used, and what rules apply,
- protect that information, both internally and with regards to any third party vendors or providers and
- maintain those protections through regular reviews, continued training, and adaptation to change.