Why 71% of HIPAA Journal Newsletter Subscribers Conduct Annual HIPAA Compliance Reviews
Recently, we invited subscribers to The HIPAA Journal newsletter to take our new free HIPAA Compliance Assessment for HIPAA Covered Entities. An analysis of the results reveals that 71% of subscribers who took the assessment already conduct annual HIPAA compliance reviews.
It should be noted that the people testing the assessment were subscribers to The HIPAA Journal newsletter, so they are already highly motivated about HIPAA compliance. The overall response rate would probably be much lower if the survey were conducted on a random sample of Covered Entities.
HIPAA mandates HIPAA compliance reviews but does not specifically mandate that the reviews should be conducted annually. However, the regulations do require Covered Entities and Business Associates to review and modify the measures implemented to safeguard electronic Protected Health Information (§164.306(e)), and to conduct “periodic technical and nontechnical evaluations” to ensure policies and procedures implemented to comply with the HIPAA Security Rule are effective (§164.308(a)(8)).
With regard to the frequency of reviews and evaluations, in 2005 the Centers for Medicare and Medicaid Services (CMS) published a guide to the “Basics of Risk Analysis and Risk Management” (PDF) in which it is implied that risk analyses should be conducted “annually or as needed”. The implication of annual risk analyses has been adopted by security experts as an industry best practice to support HIPAA compliance.
The HIPAA Journal promotes annual HIPAA compliance reviews as best practices, which is why we are offering a confidential free HIPAA compliance assessment tool.
Reviews Should Include HIPAA Privacy Rule Compliance
The General Requirements of the HIPAA Security Rule require covered entities and business associates to “protect against any reasonably anticipated uses or disclosures of [electronic Protected Health Information] that are not required or permitted by the [HIPAA Privacy Rule]” (§164.306(a)). This suggests compliance reviews should not focus exclusively on HIPAA Security Rule compliance, but also on HIPAA Privacy Rule compliance, where applicable.
The failure to include HIPAA Privacy Rule compliance in a compliance review (where applicable) could be interpreted as “reasonable cause” by HHS’ Office for Civil Rights to impose a civil monetary penalty (§160.401) – especially in light of the agency’s new risk analysis enforcement initiative. Consequently, covered entities and business associates are advised to conduct and document HIPAA compliance reviews at least annually.
Take the Free HIPAA Compliance Assessment
The HIPAA Journal’s free HIPAA Compliance Assessment has been designed to help covered entities identify potential compliance risks. The Assessment takes just five minutes to complete and – on completion – participants are sent a detailed report via email. The report notes any areas where compliance can be improved and, where applicable, provides recommendations to enhance participants’ HIPAA compliance.
