Getting Back to the Basics with HIPAA Compliance

A recent news item in the healthcare space caught my eye: Organizations are struggling with HIPAA compliance. In fact, a recent survey found HIPAA to be #1 on respondents’ list of most difficult regulatory challenges from a technology standpoint. Now, while this might not be much of a news flash to those in healthcare IT, it still invites a closer look at how organizations are dealing with HIPAA compliance these days.

HIPAA (the Health Insurance Portability and Accountability Act) was enacted in 1996 with the goal of ensuring that healthcare organizations adequately protect sensitive patient information and medical data. Complying with this broad-reaching regulation was no small task from the outset, and it’s becoming even more challenging as more organizations make, or at least consider, the transition to electronic medical records.

One requirement that seems to be tripping firms up, over the past few months anyway, has to do with providing patient records upon request. HIPAA patient rights rules require healthcare providers to supply a patient with a copy of his or her medical records within 30 days of the patient’s request. In February, the Department of Health and Human Services (HHS) issued its first fines for HIPAA noncompliance to a health insurance company that failed to provide not just one medical record upon request—but 41. The price tag for the insurer: $1.3 million for denying patients access to their records and another $3 million for failing to cooperate with the department’s investigation. My guess about what the problem was behind the scenes: The insurance company just couldn’t find the data in a timely fashion, or maybe at all.

Not surprisingly, the size of this fine seems to be serving as something of a wakeup call for healthcare organizations to get smarter about how they manage patient data. While I have no way to know for sure, here’s what I think some firms will find they’re missing: the basics. Proactive testing and adjustment of archival procedures to satisfy HIPAA requirements. Simple IT security measures to ensure data integrity. A data retention policy and practices that include a methodology and tools to locate specific media—both online and offline—quickly and painlessly.

Sometimes it takes a reality check—one with a hefty pricetag—to bring us back to the basics.