• Industry News
  • Law & Malpractice
  • Coding & Documentation
  • Practice Management
  • Finance
  • Technology
  • Patient Engagement & Communications
  • Billing & Collections
  • Staffing & Salary

The Inadequacy of HIPAA Policies and Procedures


The importance of HIPAA policies and procedures should not be overlooked. Doing so can be costly.

I am often amazed at the questions I receive and the scenarios that are presented either when I speak or advise on HIPAA. One item that never ceases to amaze me is the confusion over what content is required in HIPAA policies and procedures. I kid you not; some entities contend that having a binder with the Code of Federal Regulations (CFR) section is enough. Let's think about that - how is that a policy, what are the procedures for implementing it, and what are the sanctions in the event the policy is not followed? The answers to these questions are what auditors, government officials, and lawyers look for when bringing a case or assessing fines.

Case in point: "Employee Sacked After Snooping Patient EMR Records," a true story. Ohio-based University Hospitals notified approximately 700 patients after a single employee "snooped" and accessed protected health information. This scenario raises multiple issues:

• The employee accessed the records for nearly three years without the hospital's knowledge;

• It was not until a complaint was received did the hospital audit their EHR system;

• The information accessed included names, diagnoses, health insurance information, and other sensitive information; and

• There were inadequate policies, procedures, and training on HIPAA.

What are the best ways to thwart this type of behavior? First, compile and implement substantive policies and procedures. Second, audit the EHR system regularly and have alerts set up that notify the IT department when records are inappropriately accessed. Third, have sanctions in place for HIPAA offenses. Fourth, provide annual staff training. And, finally, recognize the importance of identifying both your internal and external data security threats to the organization.

Related Videos
Ike Devji, JD and Anthony Williams discuss wealth management issues
Ike Devji, JD and Anthony Williams discuss wealth management issues
Stephanie Queen gives expert advice
Dr. Janis Coffin gives expert advice
Janis Coffin, DO
Dr. Janis Coffin, DO, FAAFP, FACMPE, PCMH CCE, gives expert advice
Dana Sterling gives expert advice
Dana Sterling gives expert advice
Nada Elbuluk, MD, gives expert advice
Dr. Nada Elbuluk gives expert advice
© 2024 MJH Life Sciences

All rights reserved.