The recent settlement between the U.S. Department of Health and Human Services Office for Civil Rights (OCR) and a community hospital is a reminder of the importance of HIPAA compliance for all healthcare organizations. The settlement involved non-medical staff accessing patients' medical records that were not connected to their jobs. This issue highlights the need for all HIPAA-covered entities to take steps to protect the privacy and security of health information. HIPAA compliance is complex and requires significant funding for the organization to be in full compliance. However, there are several key steps that all covered entities can take to minimize their risk of a HIPAA violation. These steps include:

• Conducting a risk analysis to identify and assess the risks to the confidentiality, integrity, and availability of protected health information (PHI).
• Developing and implementing a risk management plan to mitigate the risks identified in the risk analysis.
• Creating and maintaining written policies and procedures that are designed to protect PHI.
• Training organization members on HIPAA compliance and the organization's policies and procedures.
• Reviewing and updating the organization's policies and procedures on a regular basis.

Self-funded group health plans have a particular responsibility to ensure HIPAA compliance. These plans do not have the option of relying on their carriers for HIPAA compliance, so they must take responsibility for ensuring that their own policies and procedures are in place.
By taking these steps, healthcare organizations can help to protect the privacy and security of patient health information and minimize their risk of a HIPAA violation.

[View source.]