Although most healthcare employees understand and follow HIPAA basics, violations still occur. Protect your organization by ensuring these common compliance risks are mitigated.

Keep up with regular risk assessments

Given the stresses of the pandemic, it’s understandable that your annual risk assessment may have fallen off your radar. However, a scheduled organization-wide risk analysis is vital to protect your organization, especially when there has been high turnover or the use of agency employees.

Update risk management processes

It’s not enough to complete a risk assessment. A plan must be in place to address vulnerabilities and breaches when found. Consider creating standard operating procedures within your compliance strategy that include documenting when violations were identified, actions taken to rectify the breach, and adjustments to processes moving forward, so the breach does not reoccur.

Abide by time limits for records

Denying health records, or exceeding 30 days from request to produce them, can lead to penalties and fines. Be sure to document not only when the requests were made but also the date and method of delivery.

Limit accidental PHI disclosures

Shredding documents and using screen time-outs are standard practices for many organizations. In the age of social media, consider adding a policy about ‘selfies’ in the office, so that patient information is not inadvertently shared. Also, confirm and document that past employees no longer have access to information systems.

Strictly adhere to record release authorizations

Insurance companies and third parties often request medical records. In addition to confirming a signed patient release, make sure that only the information requested within the allotted period is sent. It’s okay to mark through or remove information that does not pertain to the request.

Confirm third-party identities

In addition to the names of patient-designated individuals allowed access to records, be sure to capture another piece of identifiable information, such as an address or phone number, and use it to confirm the identity of the individual receiving the information.

Be aware of data blocking rules

Although not strictly a part of HIPAA, a Final Rule was issued in 2020 mandating that patients must have access to their health records and that there should be no “special effort” required to obtain them. In other words, patients should not have to sign multiple releases for the same provider because their records are kept in different locations. Consider talking to your EHR supplier about optimizing your patient portal to allow sharing and downloading of patient records.

And, while we’re on the subject of health records…

Expect HIPAA regulations to change post-COVID

Shortly after the pandemic began, the Office for Civil Rights (OCR) announced a public comment period for proposed modifications to HIPAA.

One of the significant draft provisions is to shorten the required record request response time to no more than 15 calendar days, with a possible grace period of an additional 15 days. Other proposals include:

  • Requiring covered providers to submit requests on behalf of patients to other healthcare providers and receive electronic records directly
  • Specifying when ePHI must be provided to the individual with no charge, as well as requirements to post a fee schedule for PHI copies
  • Clarification of how covered entities are to respond to PHI requests
  • Modifications to the release of substance abuse and mental health information

Although there is no word yet on when the new HIPAA regulations will be announced, it is expected that the new Rules will take effect sometime in 2022.

New Guidance on Extreme Risk Protection Orders

Of note is a clarification released in December 2021 by HHS concerning PHI disclosures to prevent access to firearms. The guidance illustrates compliant disclosures of PHI without an individual’s authorization. Find examples at

Keeping up with new rules and regulations can be challenging – using the right partner for EHR and practice management, greatly improves your clinical outcomes and business incomes. Contact us today at (412) 424-2260 or visit to learn how we can help you optimize workflows, gain transparency into your claims cycle and maximize revenue.