A recent poll of webinar attendees found that barely one-third may be HIPAA compliant, based upon responses to a single question.
Conducting an annual Security Risk Analysis is one of the foundational requirements of HIPAA compliance. Still, only 33.5 percent of 146 respondents answered affirmatively to the question, “Have you completed your HIPAA Risk Analysis for this year?” The poll was conducted during Compliancy Group’s “6 Secret Ingredients to HIPAA Compliance” webinar on May 20, 2022. Participants in the survey answered anonymously.
Those numbers are not surprising to Liam Degnan, Director of Strategic Initiatives for Compliancy Group. With nearly nine years of experience in compliance and risk management, he has witnessed the consequences of failing to comply with HIPAA regulations.
“Look at the statistics of HIPAA violations and fines. You can trace an overwhelming majority of them directly to the failure to conduct or complete a Security Risk Analysis.,” said Degnan.
“When properly done, this analysis provides a snapshot of an organization’s current state of compliance, so that gaps can be identified and remediated.”
“The government demands that it be done every year because it serves as a measuring stick of what is being done. It is an essential part of building the case that an organization is making a good faith effort to comply with the HIPAA laws.”
The results from this survey are echoed by Ryan Smith, Director of Sales and Customer Success, with Rigid Bits, a Managed Security Service Provider and cybersecurity firm that works with businesses to help identify and reduce their cybersecurity risks through consulting services and technology.
“I talk to so many people who swear they’re HIPAA compliant, but 99% of them are not,” said Smith. “I’ve never talked to a single company who had actually done HIPAA to a tee, except for a client of Compliancy Group that I had bumped into.”
As a client and reseller partner since 2017, Rigid Bits uses a Compliancy Group HIPAA Compliance Checklist to help organizations evaluate their current state of compliance. In a world filled with threats from organized cybercriminal gangs in Russia, China, and North Korea, achieving HIPAA compliance is the minimum step any healthcare provider or vendor must meet to secure a patient’s protected health information.
According to the Department of Health and Human Services (HHS), Breach Reporting Portal (a.k.a. The Wall of Shame) breaches have exposed at least 10.6 million patient records through the first five months of 2022. This total only includes incidents involving breaches affecting 500 or more records per incident.
Part of the confusion stems from the HIPAA regulations themselves. The goal of the law is to safeguard patients’ protected health information. To that end, HHS has issued guidance in “The Seven Fundamental Elements of an Effective Compliance Program.” The agency’s enforcement officials from the Office for Civil Rights use these elements to evaluate whether a practice is compliant.
The regulations and expectations are the same for every healthcare provider, insurance company, or vendor serving them who creates or possesses protected health information. The one-doctor practice in rural America and a regional medical system serving a metropolitan area must meet the same standard. The way each achieves that standard can and does vary wildly.
“There are two key points that you must understand if you have to be HIPAA compliant. First, it’s a journey, not a destination. You must continue to conduct risk assessments, train employees, and update policies and procedures to reflect what you are doing to meet the seven fundamental compliance elements,” said Marc Haskelson, Chief Executive Officer of Compliancy Group.
“Second, one size fits all doesn’t truly fit anyone. The law requires you to tailor your compliance strategy to your organization’s operation. Two practices with the same number of patients, in the same city, offering the same services may not run their practices in the same manner.”