Five gray areas of HIPAA you can’t ignore

The Office for Civil Rights’ Phase 2 HIPAA audits are looming, and organizations need to be prepared. However, many entities that handle PHI are unaware of where they may be noncompliant due to confusion within some areas of HIPAA.

The HIPAA rules apply to many industries outside of healthcare. Despite this, many organizations conclude that because they do not explicitly fall into one of the covered entity categories as defined by HIPAA, they do not need to worry about HIPAA compliance.

Business associates (BAs) of covered entities may also be subject to audits; however, the HIPAA conduit exception rule allows some organizations to avoid signing a business associate agreement (BAA), which makes the whole chain noncompliant.

The de-identification of PHI poses huge risks, as it can be difficult to remove all traces of personally identifiable information from records. Ignoring ‘addressable’ standards within the HIPAA safeguards means that organizations run the risk of data breaches, particularly those around encryption. In addition to this, understanding the different penalties for noncompliance is crucial.

Acces our guide, Five gray areas of HIPAA you can’t ignore aims to help organizations address concerns about HIPAA compliance in areas that are sometimes misinterpreted.