HIPAA Compliance: Navigating a Health Care Minefield

27 June 2016 Health Care Law Today Blog
Authors: Aaron K. Tantleff

In the two decades since its original passage, complying with the federal Health Insurance Portability and Accountability Act (HIPAA) hasn’t gotten any easier. Enacted with the primary goal of protecting the confidentiality, integrity and availability of healthcare information, HIPAA presents daunting administrative, technological and financial burdens for health care organizations. The burdens are only becoming more acute as those organizations grapple with a shifting health care economy and, in many cases, constricting profit margins.

Nevertheless, compliance is vital. HIPAA violations carry serious monetary, reputational, and operational consequences — including, in extreme cases, jail time. And while universal compliance is easier said than done, understanding the biggest challenges and knowing where weaknesses originate are the best ways to avoid costly mistakes.

Challenges and mistakes                                                                                     

The HIPAA Security Rule requires covered entities to submit their policies and technical infrastructure for regular review, and to implement a comprehensive strategy to ensure the confidentiality, integrity and availability of electronic personal health information (ePHI) with respect to its storage and transmission. However, the rule itself does not provide any guidance on how to do this. While this affords each organization with the opportunity to determine what software would best suits its needs, it also increases the risk that the systems of various vendors will become incompatible with one another, resulting in the unencrypted transmission of ePHI between each of the incompatible solutions.

Human error also inevitably interferes with a company’s efforts to remain compliant. Mistakes can range from weak passwords to lost or stolen personal, unencrypted devices. In addition, basic lapses in judgment, like office gossip or shoddy due diligence on vendors, can result in disclosure of ePHI. However it happens, it’s a serious HIPAA violation.

Finally, while a well-designed compliance system and training program may be simple in theory, it is often much harder to implement in practice, especially as organizations continue to face ever-tightening budgets. We see many companies become vulnerable to HIPAA violations simply because they cannot stretch their resources far enough.

How to ensure compliance

As important as technology is for managing patient information, the best way to ensure continued compliance with HIPAA standards is to implement regular and comprehensive staff training. The human element cannot be overstated. It is critical that every organization properly and continually train and educate all personnel who have access to patient records in a way that is both applicable and appropriate for each functional role. It is also critical that all employees understand their obligations in securing information, and that they know what to do in the event of an incident.

Additionally, organizations need to ensure that all of their compliance instructions are delivered in plain English. Far too often, I see policies written in a way that only lawyers or some engineer could understand, which makes it much harder for any given employee to adhere to them. Taking the extra step to put all necessary information in clear, accessible language will go a long way toward helping users comply with the requirements.

Ultimately, as difficult and complicated as HIPAA compliance can be, any organization – from the sole provider to the largest system – should never lose sight of three key steps:

  1. identify the types of information present, how it is used, and what rules apply,
  2. protect that information, both internally and with regards to any third party vendors or providers and
  3. maintain those protections through regular reviews, continued training, and adaptation to change.
This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services