5 HIPAA Items You Should Focus On

Meaningful Use, ICD-10, and the new Merit-Based Incentive Payment system have overshadowed HIPAA recently. In 2017, however, practices must give it higher priority.

1. HIPAA Audits

The HHS regards HIPAA as the national standard for protecting the privacy and security of health information. This led to the Health Information Technology for Economic and Clinical Health Act (HITECH), which had a provision for audits.

The first round of audits cover compliance, security, and breach notifications. The second round covers other stakeholders, including health care providers, insurance companies, and others.
There is currently a focus by the HHS Office for Civil Rights on carrying out these audits. Ignoring them is not an option.

Meaningful Use and HIPAA Compliance

If you participated in Meaningful Use, you'll have confirmed that you protect electronic health information. Simply conducting a security risk assessment, however, isn't enough.
Instead, you'll need the following:

  • Security risk assessment (Core Measure 1)

  • Your Business Associates Agreements (BAAs)

Here's how they both impact HIPAA compliance efforts.

A Risk Assessment Isn't Enough

A risk assessment is only one element of the process. You also must "implement security updates as necessary and correct identified security deficiencies."

In other words, you must act via a Corrective Action Plan (CAP) following the risk assessment.

Updating BAAs and Satisfactory Assurance

Business Associates are vendors that you share protected health information with, such as IT providers, billing service providers, etc. You must have a BAA in place with every Business Associate. However, this must also be updated to consider the Omnibus final rule, which became active in September 2013.
You also need to get satisfactory assurances from your Business Associates that they can protect the health information you share with them.

When Can We Be Audited?

You can face a Meaningful Use audit for up to six years. You should keep good records to ensure you're always prepared.

2. The HIPAA Breach Notification Rule

HIPAA breaches and the improper disclosure of health information must be reported to the HHS Office for Civil Rights.

Previously, this only applied if 500 or more accounts were improperly disclosed. Under the current rules, every improper disclosure must be reported.

3. Where Do I Start With HIPAA Compliance?

There are hundreds of pages of HIPAA rules and regulations, but compliance doesn't have to be complicated. Start with an organization assessment. This will tell you who you share information with and the type of information shared. It will also highlight areas where you are currently in breach.
In your organization assessment, you should look at all the main areas of HIPAA compliance:

  • Administrative Safeguards: policies, procedures, and training

  • Technical Safeguards: how you're connected, safeguarding information with outside vendors, and having termination checklists so people who no longer work with you are removed from your EHR or network

  • Physical Safeguards: how you're protecting your physical infrastructure

The required security risk assessments are very detailed, whereas organization assessments are an overview looking at the higher-level picture. Live Compliance can complete your organization assessment and help your organization understand your corrective action plan.

4. Documentation

It's important to remember that a BAA is not simply a document. Instead, it's a contract between you and your vendor.

Satisfactory Assurances should be treated similarly. After all, they show that you've done due diligence to verify that a vendor can safeguard the information you share with them. You should, therefore, document them through a contract or a written agreement.

Documenting HIPAA Compliance

Employees are the first line of defense when protecting patient information. Make sure your HIPAA compliance is documented and is then fully understood by your employees to ensure they know what they can and can't do.

5. HIPAA, MACRA and Meaningful Use

HIPAA compliance is required by HHS. For you to participate in MACRA, you must ensure you can protect the PHI and PII, even though other programs are replacing Meaningful Use.


To ensure HIPAA compliance, you should conduct a risk assessment at least twice a year—more often if there is a significant chance of noncompliance in your practice. The first risk assessment should identify risks, and the second should check that those risks are properly remediated. Live Compliance can ensure your organization is HIPAA Compliant.

Blog Comments

Blog post currently doesn't have any comments.
 Security code

TriZetto Provider Solutions® Powered by Cognizant

We help physicians, hospitals and health systems simplify business processes and get accurate payments quickly. We will always look for new ways to help you improve revenue and increase cash flow. We will stay ahead of regulatory changes so your office will never struggle to keep up. All so you can focus on the one thing that really matters: doing what is best for your patients.

Learn More