HIPAA Challenges & Pitfalls

HIPAA regulations are tricky, challenging, and full of pitfalls for the smallest of practices and business associates all the way to the largest enterprises. The introduction of the HITECH (Health Information Technology for Economic and Clinical Health) Act of  2009 further complicates matters.   

HIPAA Challenges and Pitfalls

Our approach pivots the traditional advice, making compliancy practical and easier to follow.  

Pitfall: Creating non-HIPAA compliant Technical and Cybersecurity systems

  • Create and document specific HIPAA requirements, include checklists for period validation. 
  • Physically and technically secured all devices.  
  • Implement encryption with Multi-Factor Authentication (MFA) controls even on devices not leaving your facility.  
  • Create a robust Risk assessment based on your current business and compliance requirements.  
  • Do not allow any non-controlled devices access to any system containing ePHI (Electronic Protected Health Information); especially, personally owned devices.  
  • Remember, no organization is too small to audit. 

Pitfall: Failure to manage data according to HIPAA requirements

  • Create a comprehensive Vendor Management program; include due diligence activities such as data classification, HIPAA requirements, and technical requirements.  
  • Know, document, and classify all data, storage, and usage systems (data at rest, transit, and transaction).  
  • Digitally validate ePHI systems on all local system and end user devices.  
  • Respond to ePHI requests in a timely manner. 
  • Destroy physical and digital data in accordance with HIPAA requirements.  
  • Send Data breach notifications in accordance with HIPAA requirements.  

Pitfall: Users activities that are not HIPAA compliant

  • Ensure staff are trained and prepared to handle ePHI 
  • Conduct periodic training.
    Include topics such as :
  1. System usage and cybersecurity hygiene  
  2. Social Breaches – talking about patients 
  3. Employee Curiosity  
  4. Password Management 
  5. Messaging ePHI 
  6. Accessing and storing ePHI from unauthorized locations 
  • Periodically test your users on HIPAA and cybersecurity practices 
  • Create a culture that encourages employee honesty and integrity 

Pitfall: Not managing Business Associates Agreements (BAA)

  • Maintain an active roster of all Business Associates. 
  • Include elements specified at 45 CFR 164.504(e) in the contract or other written arrangement with Business Associates.  
  • Require all Business Associates to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. 
  • Periodically review BAAs.  

Pitfall: Trying to be HIPAA compliant alone

  • Create a partnership of resources. This includes industry associations, professional peers, and 3rd party support vendors.
  • Include government resources in your program:
  1. HIPAA for Professionals:   
  2. Security Rules: 
  3. NIST based HIPAA Security Rule Toolkit  
  4. Business Associate Guidelines 


Have you read the part-one of this 5 series blog? Click here to know why you need to be HIPAA Compliant.