7 most common failures in compliance programs
Frequent re-evaluation of your Health Insurance Portability and Accountability Act (HIPAA) compliance plan is a good idea, but what do you look for? Start with the most common shortcomings that the experts see in efforts to comply with HIPAA.
Shannon Hartsfield Salimone, JD, a partner with the law firm of Holland & Knight in Tallahassee, FL, offers this list of the most common problems she encounters with HIPAA compliance plans:
- Writing a notice of privacy practices and stopping there. The notice is not enough. It must be backed up by appropriate policies and procedures.
- Not updating your notice or policies and procedures. Maybe you wrote a notice of privacy practices in 2003 that was entirely adequate, but have you updated it since then? The Health Information Technology for Economic and Clinical Health (HITECH) Act and the security rule required substantive changes in the notice and the policies and procedures backing it up.
- Failing to adequately train employees. Even the best policies and procedures are worthless if your employees don't understand them and put them into action. "HIPAA is extraordinarily complex and detailed in terms of what it requires of covered entities, and a lot of providers don't have the resources or the desire to devote enough to the training," Salimone says. "Training your people well doesn't guarantee the Office for Civil Rights will go easy on you if you do have a breach, but failing to train will be much likely to lead to a substantial fine."
- Not providing a link on your web site to the notice of privacy practices. This requirement is easily achieved, but it is also easily overlooked. "If that link is not there, it tells me that someone did not go through each of the requirements and make sure they were fulfilled, because that is clearly stated in the rules," Salimone says.
- Failing to do an adequate documented risk analysis. There is no set way to do the analysis, Salimone says, but it often involves the use of outside technicians and consultants to test the firewalls and encryption practices. Many covered entities do no risk analysis or do an inadequate one that is carried out by the same people who designed the protections.
- Skimping on the policies and procedures. If your HIPAA policies and procedures manual is 10 pages long, Salimone says you might not be in compliance. HIPAA requirements are so complex that it is almost impossible to cover everything without your policies and procedures going into great detail.
- Not updating your business associate agreements (BAAs). The BAA you came up with years ago, when associates were first a concern, will not suffice now that HITECH has changed the definitions and relationships with covered entities.