After updating the HIPAA Law (HIPAA Omnibus Rule) in 2013, and a new Enforcement Deadline
coming up on September 23, 2013, some organizations still aren’t HIPAA compliant! With over
22,000,000 disclosures of Protected Health Information already, what are the five most common
reasons why your organization isn’t compliant!
1. No HIPAA Risk Analysis – maybe you were too busy, or maybe you weren’t sure what a risk
analysis really is. A HIPAA Risk Analysis, (according to the Office for Civil Rights for the Department
of Health and Human services) is: Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected
health information held by the organization.
2. The HIPAA Risk Analysis is out of date — maybe you did it five years ago, which was BEFORE
the new HIPAA Omnibus Rule was mandated. Maybe you wanted to update it, but you got busy
with all the other pressing IT issues. Maybe you didn’t have the right resources to run a risk analysis.
3. HIPAA Risk Analysis was too focused on technical elements. Many information security
managers think that “IT people always know best”, and as far as HIPAA goes, that’s not correct.
HIPAA rules need to be followed by the medical staff, by the medical records people, by the human
resources department, and by everyone who handles or accesses PHI (protected health information).
And the Risk Analysis has to reflect input from all these different roles.
4. No correlation between the HIPAA Risk Analysis Recommendations and the changes
that were made after the HIPAA Risk Analysis was completed. The HIPAA Security controls should
have been implemented in conjunction with the Risk Analysis, not added completely independently.
The Risk Analysis should be a road map, not a boring report that ended up locked in a file cabinet somewhere.
5. Inadequate training and security awareness program. In a recent HIPAA Risk Analysis,
the individuals surveyed said they had a few hours of HIPAA training when they joined the company,
but nothing since. Next question, how long had they been with the organization, and they said,
six years, twelve years, fifteen years, and yet they had never had UPDATED HIPAA Training
or even access to a security awareness program.
Don’t find out you’re not HIPAA Compliant, when a federal regulator is sitting out in the lobby.
BE PRO-ACTIVE and start your HIPAA Risk Analysis today. To get started, send your questions to firstname.lastname@example.org, or review the OCR Guidelines for HIPAA Risk Analysis at: