After making initial compliance efforts, many employers may have put the Health Insurance Portability and Accountability Act of 1996 on the back burner. Here are the common mistakes that have been made by employers and other HIPAA-covered entities since the act went into effect in 2003. 
By Sandra R. Mihok

By now, most employers who maintain self-insured health plans have taken steps to comply with the privacy rules issued under the Health Insurance Portability and Accountability Act of 1996. However, after making initial compliance efforts, employers may have put HIPAA on the back burner.

Since HIPAA went into effect in April 2003, the following have emerged as common mistakes made by employers and other HIPAA-covered entities.

Failing to comply with the security rules
The rules regarding security measures for electronic health information have been in effect since April 2005. However, many employers have not completed security rule compliance efforts and do not have security rule policies and procedures that comply with HIPAA in place. Others have not appropriately updated plan documents or business associate agreements for the security rules. These mistakes may be costly, given that the Center for Medicare and Medicaid Services has recently instituted HIPAA audits aimed at security rule compliance.

In addition, business associate agreements were required to be updated to include provisions dealing with security rule compliance. While most new business associate agreements contain these provisions, many of the agreements entered into prior to April 2005 have not been amended to include the required language.

Read more
Posted by Bruce Cornett on 10/6/08; 3:02:37 PM from the HIPAA News dept.