It's been more than ten years since Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations have worked ever since to consistently maintain the privacy and security of patient health information. HIPAA requirements are vast and deep, requiring considerable effort for organizations to keep up with. Many--especially physician practices and smaller hospitals--do not have the bandwidth to keep on top of all the different HIPAA nuances.
Compounding this lack of resources is a widespread belief that HIPAA violations or security breaches only occur in other organizations. As such, practice leaders may think there is low risk in noncompliance and not prioritize the work. In addition, staff may not realize whose responsibility compliance is, leaving an important task open-ended and potentially incomplete.
All that said, organizations that make a commitment to HIPAA compliance can protect themselves and their patients. HIPAA compliance, or lack thereof, has both financial and cultural implications, so identifying common HIPAA compliance gaps is a great way to start down the path to compliance. This article will discuss two major gaps that many organization encounter: the prevailing "it won't happen to us" attitude and a lack of concentrated resources to maintain compliance.
The ever-mounting risk
There has never been a more important time to enhance a HIPAA compliance program. With the increasing prevalence of laptops and portable devices that house electronic health records and other patient information, the risk that a technology device will be stolen and its data compromised is growing. Hackers are also becoming more sophisticated--the news is full of organizations that have experienced attacks on their secure information.
Evolving technology is not the only risk factor. In fact, many compliance breaches stem from human error. For instance, staff might inadvertently leave a patient record open on a computer screen or a paper file in a public place. Perhaps a physician forgets his or her laptop in the car or shares his or her private security code with non-authorized personnel in an effort to make life easier. While seemingly minor, all of these examples showcase how HIPAA breaches can occur. Luckily, being proactive in identifying risk can help organizations better prepare.
Position for HIPAA Success
While getting a handle on HIPAA compliance may seem overwhelming, it is achievable for organizations that take a well-considered approach. A key first step is laying the cultural groundwork, which includes addressing attitudes toward HIPAA and making sure proper resources are allocated and effectively concentrated. Here are a few strategies for getting started.
Address the attitude toward compliance. For HIPAA compliance to gain attention, organization leaders must acknowledge and emphasize the importance of preserving data privacy and security. Moreover, they need to communicate that keeping information safe is every staff person's responsibility. This requires more than just lip service, but rather a concerted effort to uncover and resolve possible issues, effectively dispelling the "a breach won't happen to us" attitude.
One effective way to bring HIPAA compliance to the forefront is to conduct an informal analysis of the current state of compliance in the organization. Leaders should walk through the organization, using a critical eye to spot red flags. For example, does staff quickly respond to patient medical record requests and follow a consistent and well-defined process? How does the organization secure portable technology? What are the facility's rules about security passwords? Does staff know not to discuss a patient's care in common areas? An organization should consider documenting this assessment and sharing it with staff, so that everyone gains an appreciation of how compliance works and how organization can improve. Within this document, leaders may also want to outline the potential consequences of a breach, citing similar organizations that experienced a problem and the financial and cultural ramifications.
Another way to underscore the importance of an organization's commitment to HIPAA compliance is to be open about improvement. Leaders should encourage staff to report any gaps they notice, particularly workarounds that could place the organization at risk. For example, if a staff member sees that his peers are constantly rushing and leaving electronic medical records open, there should be a method for safely sharing that information with leadership. The response should be encouraging, not punitive, emphasizing the need for improvement not disciplinary action. Also, when making changes, leaders should gain staff feedback to make sure that new processes and technology fit within workflow and do not place an undue burden on staff.
Critically assess, and allocate, resources. To keep on top of HIPAA, organizations should have at least one staff person dedicated to compliance as part of his or her job. This individual should perform regular audits, review and update policies, provide training, conduct risk assessments and so on. Organizations must closely look at whether they can earmark the necessary resources. If they can't, they may have to consider seeking outside assistance in the form of technology, consultants or outsourcing. Leaving compliance to chance or placing it as an ad hoc responsibility will not be sufficient to protect patient data.
Making the Commitment
Ultimately, an organization will be successful in complying with HIPAA if it is honest with itself about the risks it faces, the resources it can allocate and what gaps exist. Facilities that take a hard look at these gaps and work to mitigate them will go a long way in keeping information safe, protecting patients and themselves.
Over the next few months, we will be taking a closer look at additional common HIPAA compliance gaps. These articles will probe the reasons behind these gaps and offer tips and strategies for proactively and effectively addressing them.