HIPAA Privacy Gaps

Although HIPAA is known to all healthcare organizations as well as most patients, implementing HIPAA requirements is often easier said than done. The HIPAA Privacy Rule contains more than 50 standards and implementation specifications, all of which must be implemented by a covered entity, with few exceptions. But with so many standards, many organizations face challenges and often have HIPAA privacy gaps and problems with HIPAA.

Many of these challenges are similar and consistent among organizations, despite healthcare function, size, or geographic location, according to enforcement activities conducted by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Knowing where HIPAA problems exist is the best way for healthcare organizations to address these problems.

These are five of the more common HIPAA privacy gaps in HIPAA compliance:

1. Lacking or Deficient Policies and Procedures

Although many organizations have HIPAA policies and procedures in place, often these efforts toward HIPAA compliance are insufficient, according to OCR. This led to a resolution agreement in 2018, which requires covered entities to implement specific activities to address Privacy Rule requirements.

As each organization is unique, they must take care to implement policies and procedures that meet their specific needs and address all applicable HIPAA requirements. There is no one-size-fits-all for HIPAA compliance, so entities must create, distribute, and train workforce members on organization-specific procedures. Any employee unsure of a policy or procedure should be able to review the organization’s written policy on each issue.

2. Outdated or Insufficient Training

The HIPAA Privacy Rule requires covered entities to provide workplace training for policies and procedures required by HIPAA to the extent necessary for employees to perform their jobs. OCR requires workforce training, and documentation of that training, in nearly all enforcement activities that led to the 2018 resolution agreement.

Best practice is to provide training to employees shortly after hiring, usually within 30 days, as the Privacy Rule requires organizations to train employees within a reasonable time period after hiring. Organizations should document annual training as well as sanction-related training, and provide frequent updates and newsletters to employees to keep privacy policies fresh and on their minds.

3. Noncompliant or Missing Business Associate Agreements

Covered entities and business associates must always enter a valid business associate agreement (BAA) with vendors that create, receive, maintain, or transmit any protected health information (PHI) on the organization’s behalf. In 2017 and 2018, OCR investigated both covered entities and business associates for those that had non-compliant or no BAAs at all.

Covered entities and business associates must confirm that there is a valid BAA in place when required, verify that executed BAAs are compliant with appropriate HIPAA standards, ensure that employees who interact with vendors are trained to identify when a BAA is required, and keep an updated inventory of all business associates and BAAs.

4. Inconsistent User Access Monitoring

Under the Privacy Rule, organizations must limit the use and disclosure of PHI to the “minimum necessary” to perform a given function. There must be appropriate administrative, technical, and physical safeguards in place to protect PHI from unauthorized access. These policies should prohibit employee access to PHI without authorization. Additionally, access to PHI must be terminated when an employee leaves an organization. If these policies are not in place, covered entities risk investigation and/or HIPAA enforcement action.

It is also important to monitor employee access to PHI. This was more difficult in the past when PHI was contained in paper files, but safeguards can be implemented to monitor user access to electronic PHI (ePHI). This allows organizations to know when, where, how, and by whom PHI has been accessed. If an organization finds that an employee has gained impermissible access, then they must take steps outlined in the organization’s policy to terminate access, sanction the employee, and, at the very least, provide remedial training to that person. 

5. Improper Breach Risk Assessment and/or Breach Notification

OCR revised the definition of a “breach” in 2013; when an organization is unsure if unauthorized access, use, or disclosure of PHI requires notification, they should perform a four-factor assessment. While some organizations updated their policies to follow this new requirement, many organizations still use old, outdated procedures when approaching these incidents.

The Breach Notification rules and the HIPAA breach reporting timeline requires covered entities to notify affected individuals, OCR, and the media no more than 60 days following the discovery of a breach that has affected more than 500 individuals. Failure to do so can result in OCR enforcement and monetary penalties among other consequences.

Learn from Past HIPAA Violations

Learning from the mistakes of others will help covered entities implement their own policies and avoid HIPAA privacy gaps. Organizations should: review, and update if necessary, current policies to confirm terms are defined properly; confirm breach assessments are determined by the current, four-factor methodology; ensure template notification letters include correct and required content; and confirm breach notification reaches all appropriates parties in a timely fashion.

Compliancy Group helps healthcare organizations avoid common mistakes in compliancy. We help simplify compliance so you can confidently focus on your business. Find out more today!

See How It Works