HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance for Medical Centers

HIPAA compliance for medical centers consists of complying with the Administrative Simplification standards of the Health Insurance Portability and Accountability Act. For some medical centers, this can prove more challenging than for others. 

Some medical centers are well-equipped environments with highly motivated management teams, while others struggle with limited resources to provide the care their communities need. Unfortunately, HIPAA doesn´t distinguish between those who are resource-rich and those who are resource-poor and requires equal HIPAA compliance for medical centers of all shapes and sizes.

While this may seem unfair, it is understandable. Individually identifiable health information has to be protected from impermissible uses and disclosures to reduce the likelihood of Protected Health Information being acquired by third parties and used to commit identity theft and insurance fraud. While these events can impact both resource-rich and resource-poor medical centers, resource-poor medical centers will likely feel each impact more if it affects payment for treatments.

HIPAA Compliance for Medical Centers Does Not Have to be Costly

Although the Administrative Simplification standards of HIPAA are often described as complex, this does not mean HIPAA compliance for medical centers has to be costly. Organizations can designate the roles of Privacy and Security Officer to existing members of the workforce, and a wealth of information about HIPAA compliance for medical centers exists on the CMS website and on sites such as healthIT.gov to help new Privacy and Security Officers “hit the ground running”.

It is also the case there are far more “HIPAA-conscious” software packages available now than when the HIPAA Security Rule was published in 2003. These can help medical centers with limited resources comply with the Technical Safeguards of the Security Rule cost-effectively. With regards to the Administrative and Physical Safeguards, it is worth noting that the General Security Rule (§164.306(b)) allows a “flexibility of approach” depending on:

  • The size, complexity, and capabilities of the medical center.
  • The medical center´s technical infrastructure, hardware, and software security capabilities.
  • The costs of security measures.
  • The probability and criticality of potential risks to electronic Protected Health Information.

Why Training is Key to HIPAA Compliance for Medical Centers

Training is key to HIPAA compliance for medical centers because without a fully trained and HIPAA-aware workforce, it will be impossible to achieve compliance with every element of the HIPAA Rules. Furthermore, a fully trained and HIPAA-aware workforce can help medical centers with HIPAA compliance as workforce members will be more likely to identify HIPAA violations and report them to their department heads or escalate them to the appropriate Officer.

Whereas there is a flexibility of approach with regards to Security Rule compliance, the same is not true when it comes to training. Medical centers must “train all members of its workforce on the policies and procedures with respect to PHI […] as necessary and appropriate for the members of the workforce to carry out their functions within the Covered Entity.” Additionally, security and awareness training is compulsory for all members of the workforce.

However, like other areas of HIPAA compliance for medical centers, training does not have to be costly. There are many inexpensive training packages available on the Internet; and although these cannot train members of the workforce on policies and procedures (because each medical center will develop its own unique policies and procedures), the training packages can help members of the workforce gain a better understanding of HIPAA to increase the effectiveness of inhouse training.