Finding focus under overwhelming circumstances

EHR and HIPAA2020 was overwhelming in so many ways, it’s almost surreal. Through it all, we witnessed an explosion of sophisticated cybersecurity attacks. At the same time, HIPAA enforcement continued on, as stories of new violations and enforcement penalties were frequently announced.

When it comes to your HIPAA compliance and cybersecurity, the ideal of “plugging all the holes in the dike” is a worthy goal, but not always possible or practical. In reality of limited resources, it’s essential for the focus to be prioritized on the most critical areas first. So where should your HIPAA compliance focus be in 2021, based upon what we saw in 2020?

Before we get into the details, just a short note on risk assessments. A proper security risk assessment, including those conducted as required by HIPAA, will highlight your vulnerabilities and it will identify which of those could cause the most damage to your organization. A good risk assessment will show you where to prioritize your compliance and security efforts, and those specifics of your organization should supersede general guidance.

While your risk assessment should be your guiding document when it comes to your HIPAA compliance and your cybersecurity efforts, it’s also helpful to be aware of where the Office for Civil Rights has been focusing their enforcement efforts. Although we may see some changes with HHS as a result of the new Administration, we don’t expect the over-arching focus of HIPAA enforcement to change. Specifically, the patient’s right of access to their medical records has been a priority and will likely continue to be so.

That leads us to our leading area of focus for your HIPAA compliance. Be certain you are able to meet the federal HIPAA requirement, and whatever your state requirement is for timely medical records access. HIPAA defines timeliness as not greater than 30 days, but many states have shorter timeframes. Consult your HIPAA expert or us with specifics. Failing here will make you famous – OCR has gone out of there way to publicize organizations that have violated this requirement.

Next up, and an area that touches on policy failures, human error, and cybersecurity breaches, is impermissible disclosures. Whether it’s a parent asking for their teenage child’s records, an accidental release of information to the wrong patient, or a cyber breach by a hacker, this broad-reaching area should be a primary focus of your compliance efforts.

Additional areas include ensuring you have properly implemented encryption on your data, both while at rest and while in transit, including your emails. Validating your backups by periodically testing that what you think is working, and recoverable actually is. And finally, when disposing of medical devices, computer hardware, and paper records, be sure the data contained therein is properly destroyed. While “shooting” your hard drives and fax machines may be rewarding, it does not provide you with a certificate of destruction as required to meet this part of the law.

This is far from a complete list, but it does highlight areas where your focus will be effectively and efficiently placed.

As always, if any of this sounds foreign or overwhelming to you, call us. This is what we do for our clients every day, and we are happy to help simplify these tasks for you.

Think before you click that link in your email.


If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.