By Tom Murphy

The Office of Civil Rights (OCR), a division of Health and Human Services (HHS), is the entity within the federal governments responsible for enforcing HIPAA. This is the storing, accessing and sharing of personal health information (PHI). The OCR has provided a list of the top five HIPAA compliance issues they have seen since 2003.

1. Impermissible Uses and Disclosures of Protected Health Information
   This comes in many forms and can include disclosing patient information without the proper permission or providing patient treatment details to an unauthorized party.
2. Lack of safeguards for Protected Health Information
   A disgruntled employee of a medical practice in Florida discarded boxes of patient records in a dumpster near the practice Every medical practice regardless of size is required to implement safeguards to protect health information.
3. Lack of Patients Access to Their Health Information
   Patients have the right to access their personal health information within 30 days of a request. The practice can charge the usual and customary fees associated with copying these records but the practice must provide them upon the patient or authorized party request.
4. Lack of Administrative Safeguards of Electronic Protected Health Records
   This is the fastest growing area of compliance issues due to the exploding use of technology in every area of healthcare. You only to need read the headlines every day to recognize that healthcare organizations of all sizes are experiencing serious issues with cybercrime as well as problems within their own organization.
5. Use or Disclosure of More than the Minimum Necessary Health Information
   This is using or providing more than the necessary protected health information necessary to perform ones job. This can be in the form of having protected health information visible to all employees of a medical practice when only certain employees should have this access.

HIPAA Training for Staff

Effective 1/1/2016, the Office for Civil Rights is stepping up its enforcement of violation of the HIPAA Privacy Rule and even if your practice does not receive a formal complaint, the OCR is tasked with performing random audits of medical practices and the business associates of these practices.

We always recommend that any medical practice or business that falls under the HIPAA guidelines as a “covered entity” should be providing annual HIPAA compliance training for all employees. This can be accomplished in a few different ways. The physician or group medical professional liability insurance company typically has risk management specialists and a wealth of information on their websites. This is going to be your best option and it is free of charge.

You can also go to (www.hhs.gov/hipaa) to get information about the HIPAA guidelines and compliance training.

Tom Murphy is a medical malpractice insurance and workers’ compensation specialist with Danna-Gracey. He can be reached at or (800) 966-2120 or Murphy@dannagracey.com.