Closing HIPAA compliance gaps: Getting your policies in order

Most organizations do not have the necessary bandwidth to develop and maintain complete policies
By Lyn Triffletti
08:55 AM

While every healthcare organization is aware of the need to comply with the Health Insurance Portability and Accountability Act (HIPAA), many--especially smaller entities such as physician practices--don't have all the policies and procedures in place to adequately meet the requirements and preserve the privacy and security of patient health information.

One reason for this is that the scope of what's necessary is so broad. Believe it or not, there are 52 possible policies that organizations may need in order to comply with HIPAA. To determine which ones are required, an organization must perform a comprehensive risk assessment and gap analysis. Based on the results, a facility can then craft the appropriate policies, addressing all the relevant details that the regulations demand. Although organizations can find standard policies online, these may not be sufficient, especially for specialty practices with unique requirements.

As discussed in part 1 of this series, most organizations do not have the necessary bandwidth to develop and maintain complete policies. This lack of time and resources leaves many entities at risk, but there are strategies to deal with this and prioritize compliance.

Small Oversights Can Lead to Big Problems

Giving less than full attention to HIPAA compliance is a risky proposition. Although organizations may not truly understand the scope of HIPAA regulation and how to address it, the consequences of a breach are rarely minor, and a facility will soon discover the ramifications of a HIPAA policy deficit.

Consider a practice that receives a call from one of its patients who has a neighbor working in the office. The patient is concerned that the neighbor might have access to the patient's medical record and wants to know what the practices' policy is for preserving the privacy of patient health information. The practice only has a short HIPAA form--one that was written several years ago. The patient begins to question whether her information is in fact secure and files a complaint with the Department of Public Health. The situation quickly escalates, and all of a sudden the practice is facing a six-figure fine and a potential lawsuit, which it likely cannot afford.

Examples like this one are not as rare as some might think. It only takes one patient who is concerned about his or her rights, and an organization may be confronting dire consequences.

Taking Steps to Mitigate Risk

Ensuring a practice has the right HIPAA policies in place may seem daunting, however there are several concrete ways organizations can realize better compliance, starting with proper risk assessments and policy documentation. Here are a few tactics to consider when broaching those strategies. 

Seek expert resources. Commonly, it's not realistic for small to mid-sized practices to have a dedicated HIPAA expert on staff. Practices often have limited resources that are focused on other priorities, and finding an individual who is proficient in HIPAA can be difficult. To lay the groundwork for reliable compliance, organizations should look for expertise outside the practice's four walls. This may entail outsourcing HIPAA compliance efforts or hiring a consultant or compliance lawyer to advise practice staff. There are also many available software options to guide people through detailed risk analyses and policy creation.

Conduct a gap analysis. The only way to know whether your organization is in compliance is to conduct a risk assessment or gap analysis. This will involve an in-depth review of current policies, visual observations of existing operations and conversations with staff members about how they maintain patient health information security. As part of this exercise, an organization may want to use a scoring mechanism to quantify potential shortfalls and pinpoint areas of focus. Again, leveraging the skills of an outside resource can be valuable.

Customize policies. Once an organization determines what policies are required through its gap analysis, it can consult the internet, software vendors or outside resources to find a starting point for policy development. It is important to note, however, that facilities should customize the policies to address their specific risks and needs, as well as document them for the practice. Specialty practices in particular cannot just adopt policies that are meant for primary care providers or hospitals. Customization is the best way to make sure that a practice is addressing its particular HIPAA policy needs.

Set up reminders. Once these three steps are completed, providers should not let their HIPAA compliance go stagnant. Instead, practices should review their policies and risk assessments at least annually, if not more frequently. Not only is this required, but it is also wise given how quickly things are changing in healthcare. To keep track of this activity, an organization may wish to set up a tickler file or some other reminder method.

Underpinning any good HIPAA compliance effort are strong policies and regular risk assessments. Organizations that commit to this work can ensure they preserve the privacy and security of patient health information and avoid the unpleasant situations that could result from a lack of attention and documentation.

The last article in this series will focus on improving HIPAA training, exploring ways to use information from risk assessments to inform staff education.