I’m simply going to start this as a good news/bad news scenario. The good news, most covered entities and business associates are not in compliance with HIPAA. The bad news, more than likely you and or your organization are not in compliance. I actually cannot say that I know of anyone that is in compliance with HIPAA anymore. I have seen individuals and organizations that fall under the “willfull neglect category” under the HITECH Act as well as a lot that fall under the “did not know” category. Both of them will be fine but one will pay a lot more than the other. Anyway, the goal of this article is not to talk about these HITECH categories but in helping you correct some potential violations that are easy to spot. Based on our experience we have the top five indicators of non-compliance:
- Failure to post a copy of your Notice of Privacy Practices. 164.520(c)(2)(iv). “A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.”
- Failure to update their Notice of Privacy Practice (NPP). If your NPP has an effective date before Mar 2013 the same is outdated and a new one must be drafted in accordance with the Omnibus Rule changes.
- If you have any agreement with your Business Associates that have not been updated since Mar 2013 they are not valid and require a modification or new agreement.
- Texting between team members or sending e-mails in clear text is another common violation although access to your devices or e-mail is required to prove any wrongdoing.
- Failure to conduct and annual security risk assessment and creating a security management plan as result of the same.