Gajus - Fotolia

Q&A: The main reason healthcare organizations violate HIPAA

The second round of HIPAA audits have commenced, and most likely some healthcare organizations will be found to violate HIPAA. A health IT expert discusses common mistakes.

The second round of HIPAA audits has begun, with the Office for Civil Rights notifying 167 healthcare organizations via email that they will be investigated to see if they are complying with HIPAA.

Healthcare organizations that violate HIPAA have often been dealt hefty fines ranging from hundreds of thousands of dollars to millions. Only time will tell what the results of this second round of HIPAA audits will uncover.

Michael Archuleta, director of IT and HIPAA security officer at Mt. San Rafael Hospital in Trinidad, Colo., predicted that HIPAA violations will continue to rise. In this Q&A, Archuleta discusses why he thinks healthcare organizations will continue to inadvertently violate HIPAA, and what technologies he thinks will help them better achieve HIPAA compliance.

What do you think will be the most common reason healthcare organizations violate HIPAA in this next round of HIPAA audits?

Michael Archuleta, director of IT and HIPAA security officer at Mt. San Rafael Hospital Michael Archuleta

Michael Archuleta: I believe that the most common reason that healthcare organizations violate HIPAA during audits is because most healthcare organizations assume HIPAA compliance to be a one-time project, rather than an around the clock, everyday practice. I've always said that it costs far less to address HIPAA compliance full on and develop a good program, rather than having to justify the defense of the organization and try to mediate penalties from OCR. Therefore, if healthcare organizations continue to think that compliance is a one-time project and continue to refuse to address it with a lack of importance, rather than recognizing it for an ongoing work in progress that is necessary to the overall security of the organization, the numbers of HIPAA violations will continue to rise, especially within this next round of audits. 

What technologies do you think are best suited to help healthcare organizations achieve this "around the clock, everyday practice"?

Archuleta: HIPAA compliance software is a great tool to help your organization stay HIPAA compliant. The way I see it, there are three kinds of solutions on the market today: consultant-based solutions that, in my opinion, leave you exposed over the long term; partial solutions that fail to address everything the regulation entails; and total solutions that address the full extent of the regulation with comprehensive guidance through self-controlled audits. A total compliance solution accounts for all aspects of HIPAA regulation and provides organizations with the support necessary to stay compliant with OCR requirements.

Could you give some specific examples of technologies?

Archuleta: Some specific examples of technologies: HIPAA-based compliance software, encryption [and] secure texting.

Next Steps

What is and isn't covered by HIPAA with wearables

A HIPAA compliance plan for app developers

Start with HIPAA to secure protected health information

Dig Deeper on Electronic health records security compliance