The current AIS Health Report on Patient Privacy tells us: National Review of HIPAA Compliance Finds Rampant Confusion, MistakesHere’s the lead:

Four years after the privacy rule went into effect, hospitals and other covered entities (CEs) are struggling with basic concepts that underlie compliance, such as what the "minimum necessary" standard means. Mistrust among CEs is rampant, and many have implemented business practices in the name of privacy and security that have no basis in law.

That’s one of the take-home messages from a two-year, $11.5 million study of privacy and security compliance funded by the Agency for Healthcare Research and Quality (AHRQ) under HHS.

The AHRQ contractor reports further on the study here.

Confusion and misinterpretation of HIPAA requirements seems to be related to the flexibility built into the rules, and providers’ difficulty in integrating overlapping state and federal requirements.  There are some recommendations for future improvements in the report, including development of form documents (including business associate agreements), and safe harbors for compliance.  It is unclear when, if ever, these improvements may be implemented.

This report makes clear that a wide variety of CEs could benefit from a HIPAA compliance audit.  This is a service provided by The Harlow Group LLC and its associated consultants with expertise in legal, health care operations and IT aspects of HIPAA compliance.  Please contact me should you have a need in this area.

David Harlow