Neglecting Regular Training and Fresh Risk Assessments
One-and-done approaches to HIPAA training is a major no-no; it's something that causes employees over time to forget about their compliance obligations. One of the biggest problems is that people assume that HIPAA compliance is a one-time effort. The reality is, it has to be an ongoing effort.
Similarly, a one-time risk analysis of vulnerabilities is not only a lax approach to compliance, it could run afoul of HIPAA’s Security Rule, which stipulates that risk assessments must be periodically reviewed and updated when needed. Ongoing reinforcement is what helps you make a culture that’s focused on privacy and security.
Not Doing Enough to Limit Data Access
A key provision of the Privacy Rule says that to the extent disclosure of patient information is allowable, only the “minimum necessary” amount of information needed to achieve objectives may be released. Limiting access to certain employees is a good way to comply, but medical practicess need to go further by ensuring those employees only have access at appropriate times. For example, some hospitals and physician practices have systems that block access to digital records when employees aren’t on the clock, which can cut down on snooping into celebrity files or other illicit browsing. Presumably, if someone is off the clock and accessing protected health information, they’re not providing services to that person.