publications full of ideas

Five Frequently Overlooked Mistakes in HIPAA Compliance

7.23.2018

HIPAA was enacted in 1996. In the years since, most healthcare entities have adapted to the major requirements imposed by HIPAA, HITECH, and the Privacy and Security Rules. Nevertheless, the thicket of regulations still leaves some traps for the unwary. Here are the most frequent tripwires.

First, the goal of HIPAA is integrity and availability of records along with confidentiality. For workflow or other reasons, hospitals or other covered entities are often reluctant to share patient records. With the exception of certain specific carve outs, such as psychotherapy notes, this violates HIPAA. Patients are entitled to their records. Compliance programs must accommodate this legal reality.

Second, HIPAA requires that disclosure of health care records be minimized to the extent necessary to accomplish the objective. In other words, a contractor or other entity with access to personal health information (PHI) is only entitled to those data points necessary to perform their function e.g. names and addresses. For practical purposes, a technical solution is not always available – a covered entity may have a single computer system, and cannot realistically reconfigure it for every purpose.

In such instances however, compliance may not be left by the wayside. It must be accomplished by alternative means such as administrative safeguards. For example, a covered entity and business associate may contractually agree to limit access, and combine this restriction with random audits to ensure compliance.

Third, the requirement of minimal disclosure also extends to individual employees and contractors. They are entitled only to those records they need to perform their job functions. Of course, in the real world those functions continually evolve. Employees often switch roles, go on leave, rotate to different units, or complete the tasks that entitled them to access in the first place. Yet access is rarely calibrated to fluctuating business needs. Excessive access is a regulatory risk. Any compliance program needs to regularly reassess employee access. It must adjust PHI access rights to conform to current responsibilities.

Fourth, HITECH and the Security Rule require a security assessment and the institution of safeguards to protect against reasonably anticipated disclosure. They also require that all Business Associates be bound to adhere to the safeguards program. The Business Associate Agreement needs to specifically incorporate this requirement. Technically, the failure to do so, even in the absence of a breach, is a violation. Yet many covered entities overlook this requirement. And if the Business Associate is unwilling to accommodate the requirement, the covered entity needs to evaluate the contractual arrangement, ensure that it meets the identified security criteria, and document the basis for this determination.

Fifth and finally, the healthcare sector is consolidating. The acquisition and consolidation of practices results in transition periods where the successor entity has multiple sets of PHI records under multiple compliance regimes. The result is a program that is either incomplete, incompatible, or is otherwise deficient. This is a serious regulatory risk. While a seamless transition may not be possible, incorporating compliance into the succession plan at the earliest possible stage is the prudent approach.

None of these five steps require mastery of particularly arcane aspects of the HIPAA regulatory scheme. Yet covered entities and business associates regularly stumble on them. Each of these pitfalls is easily remedied. In compliance, as in medicine, an ounce of prevention is worth a pound of cure.

Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad ( @NC_Cyberlaw) may be reached at 919.783.1170 or sgul@poynerspruill.com. Mike may be reached at 919.783.2851 or mslipsky@poynerspruill.com.

Physical Address: 301 Fayetteville Street, Suite 1900, Raleigh, NC 27601 | © Poyner Spruill LLP. All rights reserved.

related information

what's new at the firm

Mayo named Client Choice Award winner in North Carolina

2/19/2019

RALEIGH, N.C. — Poyner Spruill partner Kelsey Mayo has been named the 2019 Client Choice Award winner in the Employment & Benefits category for North Carolina.

Terminating Employment: Best Practices to Navigate the Termination Minefield

2/13/2019

How an employer manages an employment termination is often the determinative factor in whether an employee sues for wrongful termination. This webinar discussion focuses upon best practices that should be used to minimize frequency of post-termination lawsuits, severance and release considerations, and essential planning and documentation for termination of an employee.

WEBINAR: The Regulators’ Update

2/7/2019

Leadership of the N.C. Adult Care Licensure Section, along with members of the p.s. Health Law Team, will present an update on adult care home survey and regulatory issues, including new developments in regulatory interpretation and application during surveys by the Adult Care Licensure Section.

Poyner Spruill's Hobbs leading client relations presentation at UNC School of Law's Festival of Legal Learning

2/4/2019

RALEIGH, N.C. — Poyner Spruill’s Brandi Hobbs will again be a featured speaker in the UNC School of Law’s Festival of Legal Learning. The two-day event offers attendees the chance to earn up to 12 CLE credits and will take place Friday and Saturday, Feb. 8-9, at The William & Ida Friday Continuing Education Center in Chapel Hill.

Twenty attorneys at Poyner Spruill honored in 2019 Super Lawyers list

1/24/2019

RALEIGH, N.C. — Poyner Spruill LLP is pleased to announce 16 attorneys at the firm have been selected to the 2019 North Carolina Super Lawyers list. No more than 5 percent of the lawyers in North Carolina are selected.