I’m going to turn the lights down low, burn a few candles, play some Norah Jones, and slip into something a little less comfortable: Health Insurance Portability and Accountability Act compliance (yeah, baby). Okay, so maybe it’s not the sexiest of topics, but familiarizing yourself with the most common HIPAA compliance issues helps keep your practice in the know—and out of the jailhouse. So, let’s strip it down, shall we?

First Things First

If you follow the news, you might think that HIPAA compliance issues only happen to “the big guys”—the healthcare providers and payers with access to thousands of patient records. That’s because, in most cases, only major breaches must be reported to the news media. But you don’t have to work for a large hospital or major health insurance carrier to be majorly concerned about HIPAA. In fact, private practices are the most frequent offenders. The HHS indicates that private practices are the most common type of covered entities “that have been required to take corrective action to achieve voluntary compliance,” coming in ahead of hospitals, outpatient facilities, pharmacies, and health plans (group health plans and health insurance issuers).

Take Two—or Five

Now that I have your attention, let’s talk about the big compliance concerns your practice needs to be aware of—including one you may not have considered. The US Department of Health and Human Services reports that since April 2003—when compliance with HIPAA standards become mandatory—the “OCR has received over 121,576 HIPAA complaints and has initiated over 929 compliance reviews.” Of those reviews, these are the top five most-investigated compliance issues:

  1. Impermissible uses and disclosures of protected health information
  2. Lack of safeguards of protected health information
  3. Inability for patients to access their protected health information
  4. Lack of administrative safeguards of electronic protected health information
  5. Use or disclosure of more than the minimum necessary protected health information

Last But Not Least

As you can tell, most of these five issues have the potential to cause a breach, but what happens after a breach occurs also presents a very real HIPAA compliance threat. According to this HHS document, “A covered entity must mitigate, to the extent practicable, any harmful effect it learns was caused by use or disclosure of protected health information by its workforce or its business associates in violation of its privacy policies and procedures or the Privacy Rule.” Mitigating a breach is mandatory—and an important part of the first step in your HIPAA breach survival guide—but over the past few years, OCR records indicate a troubling increase in healthcare providers’ lack of mitigation.


For the most part, a great EMR (wink, wink) has your HIPAA compliance concerns covered in all the right places, but some HIPAA-related matters—like social media, email marketing, or natural disasters—fall outside the scope of your EMR. Not sure how your practice is doing when it comes to avoiding these top six issues? Then you may already be at risk, and it’s time to assess your processes and security practices. Still catching up on the basics of HIPAA? Take advantage of your resources—like the ones here, here, here, and here—to make sure you and your staff never get caught with your compliance pants down. Finally, keep an eye on our Blog, where we always provide the latest compliance information.

Leave a Reply