Feature Articles

ComplianceJunction HIPAA Training Receives SCCE Accreditation

The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.

ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.

“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.

“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”

The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.

HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17

Are you aware that investing in HIPAA compliance can actually result in increased revenue? Conversely, putting HIPAA compliance on the back burner can be detrimental to the organization.

The HIPAA compliance specialists, Compliancy Group, will be hosting a webinar to explain how investing in compliance can result in increased revenue.

Attendees will learn how and why investing time and money into HIPAA compliance can result in a positive year and will be provided with real-life examples of HIPAA-regulated entities that have invested time and money into their HIPAA compliance programs and have reaped the benefits.

Free Webinar Details

Thursday, August 17, 2023

11:00 a.m. PT ¦ 12:00 p.m. MT ¦ 1:00 pm CT ¦ 2:00 pm ET

Host: Compliancy Group

Speaker: Liam Degnan, Compliancy Group, Director of Strategic Initiatives

Please Use The Form On This Page To Sign Up

The post HIPAA Pays Off: Why Invest in Compliance – Free Webinar Aug 17 appeared first on HIPAA Journal.

What Are HIPAA Laws?

The main objective of HIPAA law is to protect the privacy of an individuals’ health information while at the same time permitting needed information to be disclosed for patient care and other purposes such as billing. This balance helps protect the rights of patients while ensuring smooth operation of the healthcare system.

HIPAA Law Checklist For HIPAA Law ComplianceHIPAA compliance laws set the standards for protecting sensitive patient data that healthcare providers, insurance companies, and other covered entities must adhere to. You can use our HIPAA Law Compliance Checklist to check your compliance requirements and avoid HIPAA violations.

What follows is an overview of the main components of HIPAA Law:

The HIPAA Law Privacy Rule

A key component of HIPAA compliance law is the Privacy Rule, which sets out national standards for when protected health information (PHI) may be used and disclosed.

PHI refers to any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This interpretation of PHI is broad and encompasses any part of a patient’s medical record or payment history.

Under the Privacy Rule, healthcare providers must implement necessary safeguards to protect the privacy of PHI. These safeguards are both physical (like locking filing cabinets) and technical (like password-protected electronic health records). Patients also have the right under the Privacy Rule to access, inspect, and obtain a copy of their PHI.

The HIPAA Law Security Rule

Another component of HIPAA compliance is the Security Rule. This rule applies specifically to electronic protected health information (ePHI), and covers the three types of security safeguards required: administrative, physical, and technical. These safeguards help to ensure that electronic patient data is secure from unauthorized access, loss, or damage.

Administrative safeguards focus on creating policies and procedures designed to clearly show how a Covered Entity must comply with HIPAA. Physical safeguards involve securing the physical facilities and equipment where data is stored and accessed. Technical safeguards refer to the technology and policy and procedures for its use that protect ePHI and control access to it.

HIPAA Privacy Officers

Under the HIPAA compliance laws, organizations are obligated to designate a privacy officer responsible for implementing and maintaining the policies. PHI access should be strictly limited on a “need-to-know” basis, thereby ensuring that only those who need this information to perform their job responsibilities can access it.

Who Is Subject To HIPAA?

The standards for electronic transactions which qualify an organization as a HIPAA-Covered Entity appears in CFR 45 Part 2. Generally, an organization is a HIPAA Covered Entity when it is:

  • A healthcare provider that conducts electronic transactions.
  • A health plan
  • A healthcare clearinghouse

Exceptions to this definition occur where an organization that does not qualify as a Covered Entity are somewhat involved in covered transactions.  For example, if they act as an intermediary between an employee, a healthcare provider, and a health plan.

Additionally, an organization that self-administers a health plan but has less than fifty participants is not considered to be a Covered Entity.

HIPAA Law For Business Associates

A vital aspect of compliance is the execution of Business Associate Agreements (BAAs) with any third-party vendors accessing PHI. These agreements set the standard for PHI use and disclosure by business associates, placing limits and conditions on their actions involving PHI.

Does HIPAA Apply To Employment Records?

One potentially confusing area of the Administrative Simplification Regulations relates to employment records, HIPAA law, and employers. This is because the definition of individually identifiable health information in §160.103 includes “information collected from an individual or created or received by a health care provider, health plan, employer, or health care clearinghouse.”

However, the definition of Protected Health Information (also in §160.103) excludes “employment records held by a Covered Entity in its role as an employer.” This exclusion applies to individually identifiable health information an employer might receive and maintain in an employment record to explain – for example – the reason for a leave of absence due to sickness or an injury.

HIPAA Law Enforcement and Penalties

Enforcement of HIPAA regulations is managed by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS). If an entity is found to be non-compliant with HIPAA, they can face hefty fines and penalties. Fines are tiered based on the entity’s knowledge and handling of the breach.

The HIPAA Safe Harbor Law, introduced in January 2021, takes into account existing security practices when determining HIPAA violation penalties. For instance, if an entity didn’t know and, by exercising reasonable diligence, wouldn’t have known of a violation, the penalty may be less severe. However, if a violation is due to willful neglect and not corrected, the penalty can be very significant.

Summary: HIPAA Compliance Laws

HIPAA compliance laws are an essential aspect of healthcare, ensuring the protection and secure handling of sensitive patient health information. By establishing a framework of compliance through its Privacy and Security Rules, HIPAA has become a linchpin of patient rights and privacy within the healthcare sector.

As healthcare professionals, understanding and adhering to HIPAA regulations is not just a legal obligation but also a commitment to maintaining the trust and confidence of the patients they serve. The adherence to HIPAA compliance laws forms a crucial part of any covered entity’s operational framework.

The post What Are HIPAA Laws? appeared first on HIPAA Journal.

AI in Healthcare

The topic of AI in healthcare often gets mixed reactions. While some people are firm believers in the benefits of AI in healthcare and the considerable benefits to patients, others have concerns about the ethics of AI in healthcare and there is considerable apprehension about the use of AI in healthcare attributable to a lack of knowledge about AI. In this article, we will explain what artificial intelligence is, the benefits of AI in healthcare, and how concerns about the ethics of AI in healthcare need to be overcome. 

What is Artificial Intelligence (AI)?

One of the reasons why some people approach the topic of AI in healthcare with a degree of apprehension is that different sources offer different definitions of AI. It is also the case that some sources confuse AI with Machine Learning (ML), which strictly speaking is a subset of AI. To quote Microsoft’s definitions of the two terms: 

Artificial intelligence is the capability of a computer system to mimic human cognitive functions such as learning and problem-solving. Through AI, a computer system uses math and logic to simulate the reasoning that people use to learn from new information and make decisions.

Machine learning is an application of AI. It is the process of using mathematical models of data to help a computer learn without direct instruction. This enables a computer system to continue learning and improving on its own, based on experience.

Therefore, while AI and ML are closely connected, they are not the same. Generally, a computer system uses AI to think like a human and perform tasks on its own, whereas ML is how a computer system develops its intelligence. Importantly, many of the concerns related to AI in healthcare revolve around how computer systems develop Artificial Intelligence and their capabilities to learn and make decisions without human instruction.

How Computer Systems Develop Artificial Intelligence

There are many different standard and hybrid techniques that determine how computer systems develop Artificial Intelligence. Generally, most follow the same two-stage process:

Supervised Learning

Most new AI systems start with a supervised learning process in which labeled datasets with known outcomes are fed into a system to train an algorithm on how to classify data. The outcomes produced by the system are then weighted to match the previously known outcomes. Often, this stage is followed by “semi-supervised learning” in which labeled datasets guide the algorithm as it classifies unlabeled datasets and predicts outcomes for the unlabeled data.

Unsupervised Learning

In unsupervised learning, the trained algorithm has to detect underlying patterns and relationships in never-before-seen unlabeled data in order to produce accurate outcomes. With unsupervised learning, it is important to remember that the aim is to make sense of data in the context of a specific question. How the answer is determined will depend on how the algorithm has been trained and weighted during the supervised and semi-supervised stages.

While this explanation might fail to reassure those who are concerned or apprehensive about AI – because “answers” are dependent on how the algorithm has been trained, the quality of data used to train the algorithm, how the output is weighted, and what the question is that the algorithm is trying to answer – artificial intelligence has in fact been present in many areas of everyday life for several years. For example:

  • Most people have played a video game against an AI-driven computer
  • AI is used by the finance industry to detect potential credit card fraud
  • The security industry uses AI to monitor multiple clusters of CCTV systems 
  • Netflix “because you watched” recommendations are produced by AI
  • AI produces the routes recommended by Google Maps and other travel apps
  • Many email spam filters and antivirus software solutions are fine-tuned by AI

But, what about AI in healthcare? How is that being used, who is using it, and what are the benefits? Additionally, are concerns about the ethics of AI in healthcare justified; and, if so, what can be done to overcome the concerns? These questions are easier to answer with an understanding of what AI is and how computer systems develop artificial intelligence.

Examples of AI in Healthcare

AI in healthcare is an umbrella term for all the many different ML algorithms and other cognitive technologies that are used in the healthcare industry. Some algorithms are more advanced than others, most have been designed to answer specific questions, and – even when the specific question is the same – some have been trained or weighted differently from others.

Consequently, there are many examples of AI in healthcare from patient-orientated AI such as chatbots that can listen to a patient’s symptoms and health concerns, to pharma-orientated AI that can help bring life-saving treatments to market faster. Between either end of the healthcare spectrum, there are many more examples of AI in healthcare:

Medical Imaging

Using computer vision to identify health conditions in medical images is quickly becoming a primary use for AI-driven technology. More advanced algorithms can distinguish tumors from lesions and other diseases – resulting in more accurate diagnoses, faster administration of treatments, and better patient outcomes. 

Precision Medicine

Similarly, computer systems that have been trained on precision medicine can develop medicinal or behavioral regimes specifically tailored to each patient depending on their condition, metabolic profile, microbiome composition, diet, lifestyle, sleep patterns, and many more data points collected and analyzed over years.

Physician Guidance

While robots performing major surgeries may still be a science fiction fantasy, some AI technologies have been developed that can guide physicians during minimally invasive surgical procedures via automated workflows and decision support. Most often, these technologies are used in treating strokes and heart conditions and for endovascular procedures.

Detecting Patient Deterioration

In post-acute environments, healthcare providers dedicate a lot of resources to checking vital signs to identify postoperative adverse events. AI-enabled tools can help care teams by calculating early warning scores that detect patient deterioration due to events such as respiratory failure or cardiac arrest – thus enabling more rapid responses. 

Predictive Equipment Maintenance

As well as detecting patient deterioration, AI can be deployed to predict when medical equipment is in need of maintenance. Through remote sensing, AI can monitor the performance of medical hardware to proactively identify when it may need maintenance or replacement – reducing downtime, preventing avoidable interruptions to clinical practice, and mitigating patient delays.

Automated Resource Allocation

A major administrative challenge for large healthcare providers is patient flow and resource allocation. The failure to have the right resources in the right place at the right time puts patients at risk and increases unnecessary bed occupancy. However, using AI to identify patterns from real-time and historical data enables providers to optimize flow management efficiency.

Healthcare AI Companies 

Compiling a list of healthcare AI companies is difficult because companies face multiple challenges in developing AI solutions that demonstrate real-world performance, meet medical needs, and address regulatory requirements. Consequently, many start-ups fail to make an impact in the healthcare industry and redirect their talents elsewhere. Some of those currently making an impact include:


PathAI was founded with the aim of developing AI technology that could reduce error rates in pathology. The company’s AISight pathology platform was developed, trained, and validated using more than fifteen million annotations, and PathAI is now in the process of developing diagnostic solutions for gastroenterologists, dermatologists, oncologists, urologists, and gynecologists.


Unlike patient-orientated AI which can help users identify the causes of symptoms, Regard is an end-to-end AI solution for physicians that analyzes and synthesizes patient data, recommends diagnoses, and automates note-taking. By mitigating the risk of misdiagnoses and tackling repetitive tasks, physicians have more time available to see more patients and maximize revenues.


Freenome is one of a number of healthcare AI companies that combine computational biology and machine learning to support better cancer management through early detection and precision intervention. Freenome’s AI platform can be deployed at general screenings or used to detect signs of cancer in diagnostic and blood tests.

Beth Israel Lahey Health

The Beth Israel Deaconess Medical Center – also known as Harvard University’s teaching hospital – used 25,000 images of blood samples to develop an AI-enhanced microscope that can detect harmful bacteria such as staphylococcus and E. coli much faster than is possible using manual scanning. To date, the microscopes have achieved a 95% accuracy rate.


VirtuSense uses AI sensors to track inpatients’ movements so that providers and caregivers can be notified of potential falls. The company’s product range includes VSTAlert, which can predict when a patient intends to stand up to alert care reams, and VST Balance, which employs AI and machine vision to analyze a person’s risk of falling within the next year.

Benefits of AI in Healthcare

The above examples of AI in healthcare and technologies developed by healthcare AI companies focus on the “in-house” benefits of AI in healthcare inasmuch as they help deliver accurate diagnoses and treatment plans, prevent adverse events and accidents, and improve patient flow management. Outside of hospital environments, there are many further benefits of AI in healthcare. 

From a patient’s perspective, AI technologies not only improve outcomes and help prevent adverse events in hospitals but can also enhance the remote patient experience. Advocates of AI in healthcare see AI as a way of providing convenient access to medical advice in the home, increasing patient engagement, and empowering patients to take more responsibility for their health and well-being.

Further benefits of AI in healthcare relate to how quickly pharmaceutical companies can bring new drugs to markets. Drug development processes can be significantly accelerated with AI technologies that quickly extract meaningful information from large datasets to predict harmful interactions with existing drugs, improve the quality of clinical trials, and reduce time to approval.

One recent example of the benefits of AI in healthcare is how AI was used during the COVID-19 pandemic to detect outbreaks, facilitate diagnoses, and accelerate gene sequencing. It is hoped that, as a tool for public health, AI can be used in the future to predict and track the spread of other infectious diseases by analyzing data from government, healthcare, and other sources.

Ethics of AI in Healthcare 

According to a survey conducted by Dataiku in 2020, concern about the ethics of AI in healthcare is the primary organizational challenge stalling the adoption of AI in healthcare environments. Although specific concerns differ by organization, the concerns can generally be categorized as informed consent to use data, safety and transparency, algorithmic fairness, and data privacy. 

These concerns are not unique to the United States nor to the healthcare industry. Governments and regulatory agencies across the world have struggled to resolve this challenge – with many implementing rules and regulations to govern how AI is used. In the United States, a patchwork of state and federal laws partially addresses the challenge, but many concerns remain.

To help support governments and regulatory agencies pass fair and consistent legislation, in 2021 the World Health Organization published guidance on the “Ethics and Governance of Artificial Intelligence for Health”. This comprehensive publication endorses six key ethical principles for consideration by governments, developers, companies, and society as a whole:

  • Protect human autonomy
  • Promote human well-being, safety, and the public interest 
  • Ensure transparency, explainability, and intelligibility
  • Foster responsibility and accountability
  • Ensure inclusiveness and equity
  • Promote AI that is responsive and sustainable

Although political influences have resulted in the United States AI strategy shifting towards a market-orientated approach, the National Defense Authorization Act 2021 instructed the National Institute of Standards and Technology (NIST) to develop a framework for trustworthy AI systems that establishes common definitions and characterizations for aspects of trustworthiness. 

With the exception of protecting human autonomy, the five remaining key ethical principles endorsed by the World Health Organization likely will be incorporated into the framework according to NIST’s latest report to Congress. If approved by Congress, the NIST AI standards could resolve many of the concerns about the ethics of AI in healthcare.

How NIST Standards Could Accelerate AI Adoption in Healthcare

In January 2021, a HITECH Act update came into effect – an amendment that gave the HHS’ Office for Civil Rights enforcement discretion when investigating data breaches if the breached organization could demonstrate twelve month’s continuous compliance with “standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the NIST Act” or a similar Act.

There is no evidence that HIPAA Covered Entities and Business Associates took their compliance obligations any more seriously after the enactment of the HITECH Act update, but it is noticeable that – despite a significant increase in the number of financial penalties issued by HHS’ Office for Civil Rights in the past two years – only four have been for violations of the Security Rule.

If there are amendments to the NIST Act to incorporate AI standards, and if a law is passed giving HHS’ Office for Civil Rights enforcement discretion when the standards are applied in healthcare organizations, this could accelerate AI adoption in healthcare as not only would it resolve many of the concerns about the ethics of AI in healthcare, it would also resolve the second highest challenge to the adoption of AI in healthcare (according to Dataiku) – the lack of regulatory guidance.

The Future of AI in Healthcare

The future of AI in healthcare is unclear if concerns about the ethics of AI in healthcare and the lack of regulatory guidance are allowed to continue. If the situation remains as it is, AI will continue to be incorporated into healthcare processes in piecemeal stages – which will continue to add value to healthcare operations and improve the patient experience but may result in inequalities that could make the wider adoption of AI in healthcare much more difficult in the future. 

Alternatively, and notwithstanding that AI technologies are improving and becoming more sophisticated all the time, federal agencies – including the HHS – could introduce temporary guidance on the use of AI until such time as effective standards are developed. This would give healthcare organizations more confidence to adopt AI technologies with benefits for patients, organizations, and public health in general.

The post AI in Healthcare appeared first on HIPAA Journal.

Editorial: Benefits of HIPAA for Healthcare Organizations

One of the problems with developing legislation for the entire healthcare industry is rules must be written for organizations of different sizes, with vastly different business models, budgets, staffing levels, and capabilities. Rules need to be written that are sufficiently flexible to accommodate this variety and be appropriate for all organizations and their unique operating structures.

One of the challenges with developing HIPAA was to create rules that would correct inefficiencies and get the healthcare system working more harmoniously. They also needed to stand the test of time and be flexible enough to accommodate changes that could not be envisaged when the legislation was signed into law. When the Privacy and Security requirements were introduced, they needed to be specific enough to serve as a practical framework for healthcare organizations to follow yet be flexible enough to account for changes in technology and operating practices over time.

This was vital as the process of updating legislation is simply too slow to allow for regular changes to be made. The HHS needs to issue a request for information to find out what needs to change, process the feedback, then a notice of proposed rulemaking, review the comments on the proposed changes, pen the final rule, issue that rule, and provide sufficient time for healthcare organizations to comply with the changes. That process spans several years, yet working practices evolve and new technology is constantly being introduced.

The way that HIPAA needed to be written has naturally led to the legislation receiving a lot of criticism. HIPAA has been criticized for having too many requirements and also not enough in certain areas, and for being too inflexible and difficult to interpret, and challenging to comply with. Despite the challenges of compliance and the gaps in HIPAA, the legislation has provided many benefits for healthcare organizations, healthcare professionals, patients, and health plan members. The legislation is far from perfect and HIPAA is in desperate need of updating – new HIPAA regulations will soon be introduced – but in its current form, the benefits of this important legislative act far outweigh any disadvantages.

In this article – and the next two in the series – I will explain the benefits of HIPAA and how the proposed Privacy Rule changes will help to address some of the current pain points and should significantly improve HIPAA for healthcare organizations, their employees, patients and members. You can read about the benefits of HIPAA for healthcare professionals here.

How HIPAA has Benefited Healthcare Organizations

HIPAA was signed into law more than 25 years ago in 1996 before many current healthcare workers had even been born. For those in the industry old enough to remember, at that time there was a desperate need to improve efficiency in the healthcare industry, as a huge amount of time and effort was wasted on inefficient manual processes, the cost of which was driving up the cost of healthcare at an unsustainable level.

HIPAA improved efficiency by standardizing healthcare transactions across the industry, including requiring all healthcare organizations to use the same standard code sets and follow standard administrative practices. Not only did the standards introduced by the HIPAA Administrative Simplification Rules help to eliminate waste and reduce the administrative burden on healthcare organizations, they have also helped to improve patient safety by reducing the potential for medical errors by making it easier to match records with the right patients. Before the introduction of HIPAA, healthcare fraud was rife and was costing the healthcare industry around $7 billion a year. The standardization of healthcare transactions has helped to reduce significantly reduce fraud.

The introduction of the HIPAA Privacy, Security, and Breach Notification Rules brought many benefits to healthcare organizations, but also some of the biggest pain points for HIPAA-covered entities. These updates required considerable changes to working practices and came with a significant administrative burden. HIPAA set clear – and sometimes not so clear – rules on how health information can be used and disclosed, how health information must be handled, and the policies and procedures that need to be implemented to ensure the confidentiality, integrity, and availability of protected health information. The HIPAA Privacy Rule has empowered patients to take a much more active role in their healthcare, allowing them to check their medical records for errors and get any errors corrected, which has helped to reduce the risk of medical errors and improve patient outcomes, which naturally has many benefits for healthcare organizations. By having standard rules in place, patients have the same rights no matter where they obtain care, and the safeguards to ensure the confidentiality of health information have helped to build trust between patients and their healthcare providers.

The HIPAA Security Rule set standards for all covered entities to follow to ensure the confidentiality, integrity, and availability of electronic health information and helped healthcare providers successfully transition from paper records and charts to electronic health records and encouraged the adoption of new technologies for improving efficiency and the quality of care in a safe and secure way. The HIPAA Security Rule was not meant to be a comprehensive checklist of every security measure that should be considered or implemented, rather it is a set of minimum standards for security that must be achieved. By adopting those standards, healthcare organizations have prevented many data breaches and avoided the considerable costs of those breaches. Many of the data breaches now being reported are due to employee errors and non-compliance with the HIPAA Security Rule.

The HIPAA Breach Notification Rule provides important benefits to patients, but there are also benefits for healthcare organizations. Compliance with this aspect of HIPAA ensures transparency about unauthorized access and disclosures of protected health information and promptly notifying patients about data breaches – which are often out of the control of healthcare organizations –can improve trust in healthcare organizations and reduce the reputational damage caused by data breaches. Importantly, HIPAA lacks a private cause of action, which helps HIPAA-covered entities avoid the considerable legal costs of defending lawsuits from patients who believe their privacy has been violated.

How the Proposed Updates to the HIPAA Privacy Rule will Benefit Healthcare Organizations

While the HIPAA Rules lack specificity in certain areas and incorporate flexibilities to avoid the need for regular updates, updates to HIPAA are required to accommodate changes in working practices and advances in technology, and to correct the elements that are either not achieving the purpose they were intended to or are no longer important. There has also been considerable criticism over the years that HIPAA continues to place an unnecessary administrative burden on healthcare organizations. After issuing an RFI, OCR published a Notice of Proposed Rulemaking in 2021 to update the HIPAA Privacy Rule, mostly to strengthen individuals’ rights to access their own health information and to reduce the administrative burden on healthcare organizations.

These Privacy Rule changes should help to improve information sharing, which will make patient care coordination and case management easier, including the coordination and management of care through social and community services. The updates will also facilitate family and caregiver involvement in the care of individuals that are experiencing emergencies or health crises. The restrictions of HIPAA have been clear became clear throughout the opioid and COVID-19 public health emergencies. The update helps to address this by incorporating flexibilities to permit disclosures in emergencies and threatening circumstances. These updates will help healthcare providers deliver better care and improve patient outcomes.

The amount of paperwork involved in providing healthcare also needed to be addressed. Finally, some of the time-consuming tasks that healthcare organizations still need to perform manually are being eliminated, such as the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and retain copies of that documentation for 6 years.

Any update to HIPAA comes with a considerable workload initially but the benefits should be felt quickly. OCR believes the efficiencies introduced by the Privacy Rule changes will help to save $3.2 billion over five years, thus limiting the increase in the cost of healthcare. The Final Rule has yet to be published in the Federal Register, but that should finally happen in 2023.

Healthcare Organizations are Still Struggling with HIPAA Compliance After 26 Years

HIPAA has been in effect for 26 years, the Privacy and Security Rules for two decades, and the Omnibus Rule and Breach Notification Rules for 14 years, yet HIPAA compliance is still proving to be a challenge for many healthcare organizations.

One of the common complaints about HIPAA that makes compliance complicated is the frequent use of terms use as reasonable… exercise reasonable diligence, implement reasonable and appropriate policies and procedures, reduce risks and vulnerabilities to a reasonable and appropriate level. There are also ‘required’ and ‘addressable’ provisions, where addressable provisions are still required elements of compliance, in some form. These flexibilities are what make HIPAA workable for such a wide range of healthcare organizations and stay relevant, but they can present significant challenges for healthcare organizations, especially smaller practices that lack the staff and resources to devote to compliance.

One of the ways that many smaller healthcare organizations have simplified compliance and ensured all the i’s are dotted and t’s are crossed is by using HIPAA compliance software. These software solutions guide healthcare organizations through compliance with all aspects of the HIPAA Rules, eliminating the guesswork and making sure that no provisions are overlooked. The software can be used to achieve compliance and maintain the compliance program, prompting risk analyses, updates, and training, and ensuring compliance efforts are fully documented to ensure painless audits and investigations.

Security Rule compliance can be particularly challenging, as the Security Rule does not provide specifics about technologies that should be used to protect healthcare data. Many healthcare organizations have simplified compliance and gone above and beyond the requirements of HIPAA by adopting a cybersecurity framework. Frameworks such as the NIST Framework for Improving Critical Infrastructure Cybersecurity and the HITRUST Cybersecurity Framework provide structure, transparency, and guidance for achieving compliance with HIPAA and other privacy and security regulations and provide clarity and consistency while reducing the burden of compliance.

In 2021, the HITECH Act received an update to encourage the adoption of recognized security practices such as those developed under section 405(d) of the Cybersecurity Act of 2015 and covered by these cybersecurity frameworks to improve cybersecurity across the healthcare industry. The update provides incentives in the form of reduced penalties and sanctions and shorter audits and investigations by OCR, which considers the adoption of recognized security practices as a mitigating factor when making determinations about HIPAA Security Rule violations and data breaches.

HIPAA is Only the First Step

The main benefits of HIPAA for healthcare organizations are improvements in efficiency through standardized working practices which eliminate waste, improve patient safety, and boost profits. HIPAA compliance fosters trust between providers and patients and health plans and their members and helps to improve patient outcomes, increase patient and client loyalty, and improve retention.

However, HIPAA is just a set of minimum standards for privacy and security, so HIPAA compliance can be viewed as only the first step. Adopting a cybersecurity framework and implementing recognized security practices will further strengthen an organization’s security posture, and thanks to the HITECH Act update, there is now an added incentive for doing this.

Steve Alder, Editor-in-Chief, HIPAA Journal

The post Editorial: Benefits of HIPAA for Healthcare Organizations appeared first on HIPAA Journal.

Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment

The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities and their business associates to complete a risk assessment. The purpose of the risk assessment is to identify and evaluate all risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). An annual risk assessment is also required by MACRA/MIPS.

Only by conducting a risk assessment is it possible to identify all risks to ePHI, evaluate them, prioritize them, and then subject them to the risk management process. Despite the importance of this element of HIPAA compliance, it is one of the most commonly cited HIPAA violations by the HHS’ Office for Civil Rights in its enforcement activities and HIPAA audits.

The risk assessment should not be viewed as a HIPAA compliance checkbox item to avoid financial penalties. Conducting a comprehensive HIPAA risk assessment will identify vulnerabilities before they are found and exploited by threat actors. Completing an annual HIPAA risk assessment will help HIPAA-regulated entities prevent costly data breaches as well as avoid regulatory fines.

To help you complete your 2022 HIPAA risk assessment and ensure you are fully compliant, Compliancy Group is hosting a webinar that provides an overview of everything you need to know about completing your 2022 risk assessment. Previous webinars have already helped many HIPAA-regulated entities ensure compliance with this important HIPAA requirement.

The 2022 deadline is approaching so covered entities must conduct their HIPAA risk assessment by the end of the year. Due to popular demand and the importance of the subject matter, this webinar is now being run again in December.

Mark the date in your calendar and register for the webinar using the form below.

2022 Deadline Approaching Fast

How to Complete your 2022 HIPAA Risk Assessment

December 7th @ 2:00 pm ET ¦ 1:00 pm CT ¦ 12:00 pm MT ¦ 11:00 am PT


The post Webinar Today: 12/6/2022: How to Complete Your 2022 Risk Assessment appeared first on HIPAA Journal.

Reader Offer: Free Annual HIPAA Risk Assessment

HIPAA Journal has partnered with The Compliancy Group to offer its readers a free annual HIPAA Risk Assessment.



Covered Entities like medical practices and Business Associates like IT providers are required conduct a HIPAA risk assessment by the 2003 HIPAA Security Rule (45 CFR § 164.308 – Security Management Process) and HITECH Act 2009.

The post Reader Offer: Free Annual HIPAA Risk Assessment appeared first on HIPAA Journal.

Webinar Today: How to Become HIPAA Compliant

Healthcare organizations and their business associates need to be HIPAA compliant, but complying with the HIPAA Rules can be a daunting task and many new businesses don’t know where to start.

To help HIPAA-regulated entities get on the right track, Compliancy Group is hosting a webinar this month and will explain the ins and outs of what is needed for your compliance program.

In the webinar, you will learn:

  • How HIPAA satisfies your patients/clients
  • The 7 fundamental elements of an effective compliance program
  • The benefits of being HIPAA compliant
  • How to protect your business from breaches and fines
  • And many more tips and tricks!

Join Compliance Group to learn how your organization can become compliant and how to start leveraging the full benefits of HIPAA.

Webinar: How to Become HIPAA Compliant

Wednesday, April 13th, 2022 @ 11:00 a.m. PT ¦ 2:00 p.m. ET

Host: Compliancy Group


The post Webinar Today: How to Become HIPAA Compliant appeared first on HIPAA Journal.

Video: Why HIPAA Compliance is Important for Healthcare Professionals

Many sources explaining why HIPAA compliance is important for healthcare professionals tend to focus on the purpose of HIPAA regulations rather than the benefits of compliance for healthcare professionals. The same sources also tend to focus on how noncompliance affects patients and employers, rather than the impact it can have on healthcare professionals´ lives.

This article discusses why HIPAA compliance is important for healthcare professionals from a healthcare professional´s perspective. It explains why healthcare professionals cannot avoid HIPAA; and that, by complying with HIPAA, healthcare professionals can foster patient trust, keep patients safer, and contribute towards better patient outcomes. This is turn raises morale, creates a more rewarding work experience, and enables healthcare professionals to get more from their vocation.

Conversely, the failure to comply with HIPAA can have significant professional and personal consequences. Yet the failure to comply with HIPAA is not always a healthcare professional´s fault. Sometimes it can be due to insufficient training or cultural norms. We look at why Covered Entities might not always be able to provide sufficient training or monitor HIPAA compliance, why they may not accept responsibility when an avoidable HIPAA violation occurs, and how you can avoid HIPAA violations due to a lack of knowledge.

Click here for free HIPAA training

Click here to view HIPAA training pricing

Why Healthcare Professionals Cannot Avoid HIPAA

One of the objectives of HIPAA is to provide a federal floor of privacy protections for individuals´ identifiable health information held by Covered Entities. To achieve this objective, the Privacy and Security Rules imposes standards Covered Entities must comply with in order to protect the privacy of “Protected Health Information” (PHI). The failure to comply with the HIPAA standards can result in substantial financial penalties – even when no data breach occurs and PHI is not compromised.

Most healthcare organizations are Covered Entities and, as such, are required to implement policies and procedures to comply with the Privacy and Security Rule standards. As employees of Covered Entities, healthcare professionals are required to comply with their employer´s policies and procedures. This is why healthcare professionals cannot avoid HIPAA. However, this is not the only reason why HIPAA compliance is important for healthcare professionals.

The Benefits of HIPAA Compliance for Healthcare Professionals

There is little doubt the most important element of a patient/healthcare professional relationship is trust. Patients trust their healthcare professionals with intimate details of their lives because they trust healthcare professionals work in their best interests to achieve optimal health outcomes. However, trust can be a fragile commodity. If their intimate details are exposed due to a HIPAA violation, patients may withhold information crucial to the delivery of care despite the potential long-lasting consequences for their health.

Healthcare professionals can mitigate the risk of trust being broken by complying with the policies and procedures implemented by their employer to prevent HIPAA violations. When patients are confident their privacy is being respected, this fosters trust – which contributes to the delivery of better care in order to achieve optimal health outcomes. Better patient outcomes raise the morale of healthcare professionals and result in a more rewarding work experience.

The Professional and Personal Consequences of Noncompliance

One of the policies a Covered Entity is required to implement is a sanctions policy for when members of its workforce do not comply with HIPAA policies and procedures. Covered Entities are required to enforce the sanctions policy and act on HIPAA violations by healthcare professionals because, if they don´t enforce the sanctions policy, the Covered Entity will be in violation of HIPAA. Furthermore, if the Covered Entity fails to act, noncompliance can deteriorate into a cultural norm.

Being sanctioned for a HIPAA violation can have professional and personal consequences for healthcare professionals. Penalties can range from verbal warnings to the loss of professional accreditation – which will make it difficult for a healthcare professional to get another job – and, if a criminal conviction results from the noncompliance, it will likely be reported in the media which will have repercussions for a healthcare professional´s personal reputation.

Who is Responsible for HIPAA Violations?

As mentioned previously, the failure to comply with HIPAA is not always the healthcare professional´s fault. Although Covered Entities are required to provide training on policies and procedures that relate to healthcare professionals´ functions, they may not have the resources to provide training on every conceivable scenario a healthcare professional may encounter, or to monitor compliance 24/7 in order to prevent the development of cultural norms.

Consequently, unintentional violations of HIPAA can occur due to a lack of knowledge. However, Covered Entities are not always willing to accept responsibility for unintentional violations due to a lack of knowledge because it implies they failed to conduct a thorough risk assessment, overlooked a threat to the privacy of PHI, and failed to provide “necessary and appropriate” training – or, when a cultural norm has developed, failed to monitor compliance with policies and procedures.

How You Can Avoid Unintentional Violations of HIPAA

The best way to avoid unintentional HIPAA violations and the professional and personal consequences of noncompliance – even when they are not your fault – is to ensure your knowledge of HIPAA covers every area of your role and the scenarios you may encounter. To achieve this level of knowledge, you should take advantage of third-party HIPAA training courses that provide you with an in-depth knowledge of HIPAA and its rules and regulations.

Taking responsibility for your own knowledge of HIPAA – and using that knowledge to work in a HIPAA-compliant manner – protects your career, improves your job prospects, and enables you to get more from your vocation. Given the choice, most healthcare professionals would prefer to work in an environment which operates compliantly to delivery better patient outcomes, in which morale is high, and in which the healthcare professional enjoys a more rewarding work experience.

Click here to view HIPAA training pricing

The post Video: Why HIPAA Compliance is Important for Healthcare Professionals appeared first on HIPAA Journal.