Posted by: Robert Markette
October 23, 2006

Phoenix Health Systems, the company that operates the HIPAAdvisory website reported the results of its most recent HIPAA compliance survey. Yet, again, the survey showed non-compliance to be widespread.

For example, in the security rule context, only 56% of providers claimed to be fully compliant with the security standards. This number is probably high, given that later in the report, it states that of the providers claiming full compliance, many could not confirm that they had implemented all of the key security standards. In other words, only 56% of providers claimed to be compliant, but not all of the providers who claimed to be compliant were compliant.

As for the privacy rule, 22% of providers have still not implemented privacy rule standards. According to the authors of the study, this represents a core group that will never comply. However of the 78% that claim compliance, the survey identified significant compliance gaps. Among those are the implementation of business associate agreements, minimum necessary disclosure requirements and monitoring internal compliance.

I am not surprised to learn that even compliant providers have issues with business associate agreements. Many providers are still not clear on what is a business associate and providers need to identify their business associates before they can implement agreements. I still hear of the occasional case of a treating provider asking another treating provider for a business associate agreement because they treat the same patient. Of course, providers treating a common patient (or patients) are not business associates

Identifying the business associates is only the first hurdle. The providers then need to implement compliant business associate agreements. The privacy and security rules set forth specific requirements for these agreements and often the agreements providers use are insufficient.

This just shows that, even after a number of years of HIPAA, there are still a large number of providers and other covered entities that are uninformed about HIPAA. Just recently, I heard of a state agency telling providers they needed the patients consent before they could disclose information for treatment or payment. The consent requirement has been out of the rule for some time and providers never needed an authorization to share information for treatment purposes.

The good news from this survey is that except for a percentage of providers who simply refuse, providers are continuing to work on compliance. It seems, however, that providers may need more education on the rules requirements so that they know what to work on.

News

HIPAA Privacy survey

News

Health Care

Topics

Recent Updates

Archives

Web Resources



	Home \| Attorneys \| Contact Us \| Site Map
	The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation. Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.