Why HIPAA Compliance Errors Are Too Costly to Make


If you can't make sure that your healthcare firm's records are secure, then you're not likely to remain in business for very long. The complex and highly detailed legal requirements spelled out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can be daunting -  and for good reason. Of course, we all want to avoid fines and forced closure at the hands of the US government, but let's keep in mind that remaining HIPAA-compliant is important for other reasons as well.

The High Cost of HIPAA Non-Compliance

These security standards are designed to protect people’s privacy concerning their personal healthcare files, enabling people to safely and confidently retain their health insurance policies when they switch jobs and make other changes. Security threats have the ability to undermine consumer confidence in the data systems used by the various services that they depend on, so maintaining relationships of trust with your customers is critical. When your firm is HIPAA-compliant, both you and your customers can remain confident that their personal health information is safe.

What Does HIPAA Do?

HIPAA protects both health insurance policyholders and the health care providers who maintain patient records. This safeguarding of patient confidentiality applies to all “protected health information” (PHI), as laid out in HIPAA, but digital information is protected even more rigorously than hard copies.

Storing patient data electronically is called “electronic protected health insurance,” or EPHI. It is governed by what's known as the "Security Rule" – that is, the Security Standards for the Protection of Electronic Protected Health Information.

To comply with the Security Rule, health care providers must develop comprehensive security plans for their facilities, including thorough documentation of the usage of physical access controls. Means of physical access control include:

  • Video surveillance cameras
  • Identification badges
  • Intrusion detectors
  • Electronic card access systems
  • Visitor badges
  • Asset tagging

What all these systems have in common is that they permit access to authorized individuals who have legitimate business at the health care provider's facility. Conversely, they deny access to those who do not have a verifiable, legitimate need to be there.

EPHI Security Policy

Anywhere that medical staff can access EPHI should be considered secure – a restricted area with physical access controls in place. However, given the diverse settings in which health care is provided, that kind of restriction on workstations and access points may not be reasonable to expect. Therefore, health care providers should take care to use privacy screens for any area that permits the presence of both the general public and visitors doing business at your facility.

Similarly, any electronic device on which health care workers can access patients’ files must to be situated with care. Surveillance cameras in these areas should angle in such a way to detect any unauthorized access but not the computer screens that display patient information.

Moreover, successful compliance with the Security Rule requires vigilance, as the technologies used by a given health care provider often change rapidly and dramatically. Providers must document their systems’ maintenance, any repairs, any component moves and any changes to the systems. Because these adjustments take place on an ongoing basis, security maintenance should be seen as an ongoing task as well.

When HIPAA is Violated

Those who are found to be insufficiently compliant with the rules and regulations of HIPAA face heavy fines. Healthcare organizations – and individual healthcare workers – who circumvent or neglect the terms of HIPAA are subject to these penalties as well.

Clearly, these fines are worthy of avoidance, for both the institution and the individual healthcare worker. But the greater concern should be the risk and harm done to patients in the event their trust and expectation of privacy are violated.

Where there is an assumption of privacy and confidentiality on the part of the patient, there needs to be commensurate reliability on the part of the health care provider.

When that trust is destroyed, particularly in the event of compromised EPHI, the patient, the provider, and the entire health care system suffer.

The Bottom Line

So what should health care providers do to make sure that they are HIPAA compliant and stay that way? First and foremost, they should protect “facility access control.” As the first standard under the Physical Safeguards, this regulation requires electronic information systems and the facilities that house them, have limited physical access to anyone without authorization to view those records.

Many health care information systems rely heavily on web-based applications to access EHR (Electronic Health Records). All who have access to these systems, from the physicians to the nurses and other staff, must take great care to keep them protected.

Vigilant compliance with HIPAA is, therefore, a critical business move for any health care firm. It's not only a matter of regulatory compliance or avoiding fines; it's the right thing to do.

Free Ebook

The Modern Enterprise

Security is more than keeping employees and physical assets safe. In today's rapidly changing world, we need to understand the latest threats to enterprise security.




Bruce Pontier (Linked In, Twitter, Facebook) -