When it comes to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), is your house in order? Has someone recently looked underneath the counter and tidied up? When it comes to health care providers, periodically checking in on your HIPAA compliance efforts and cleaning up loose ends will go a long way in your compliance efforts. Here are five areas that I recommend “spring cleaning” in order to boost your HIPAA compliance efforts:

1. Policies and Procedures. Many health care providers enacted HIPAA policies and procedures shortly after the passage of the HIPAA regulations, but have failed to revise and update their HIPAA compliance plans since. With changes in the law, operational transitions, and a cybersecurity landscape that poses numerous threats, providers should consider reviewing and updating their existing HIPAA policies and procedures. For example, changes to HIPAA that address the privacy of protected health information (“PHI”) concerning reproductive health care took effect on December 23, 2024. These changes require updates to written policies, the addition of a new attestation form, revisions to existing forms, and changes in procedures addressing the disclosure of reproductive health care information. Thus, now would be a good time to review and update your HIPAA policies and procedures.
2. Training. When it comes to HIPAA compliance efforts, the first line of defense in ensuring that PHI is secured appropriately and compliantly is training your employees. While employees should always be trained upon hire, they should also be trained periodically thereafter. I recommend that clients conduct routine, formal HIPAA training, at a minimum, at least once a year. Consider the type of training that is appropriate for your organization and how often training should be conducted based on the culture of your organization. Training can be conducted in a variety of forms: web-based tutorials, attendance at seminars, self-study, etc. If an unauthorized use or disclosure occurs or if a policy or procedure is changed, conduct additional training. Whenever training is conducted, whether internally or externally, the training must be documented. The documentation should include the date the training was conducted, the employees that were trained, the topics discussed, and a copy of any training materials that were utilized. With the changes to HIPAA concerning reproductive health care, now would be a good time to undertake additional training initiatives.
3. Risk Analysis. We are seeing a large increase in cyber-incidents impacting the health care industry. The Office for Civil Rights (“OCR”) recently reported that there has been a 264% increase in large breaches reported involving ransomware attacks since 2018. Given the large number of individuals impacted, these incidents are triggering investigations. When these matters are investigated, penalties are oftentimes imposed because covered entities do not have an up to date risk analysis. In fact, OCR has a “Risk Analysis Initiative” that penalizes entities for not complying with the HIPAA risk analysis requirements. Thus, it is important to document in written form what your risks are and how you will address them, and now would be a good time to update any prior risk analysis.
4. Breach Reporting. Most people are aware of the obligation to notify individuals, along with OCR, when a breach incident has occurred and, covered entities should have a process in place to ensure that breach reporting occurs timely. However, in addition, entities should have a mechanism for employees and patients to report potential concerns regarding the use and disclosure of PHI. The reporting process should be well-publicized, flexible, transparent, and familiar to all employees. The only way to improve HIPAA compliance efforts is if you are aware of potential concerns or issues. Having a workable reporting process without a fear of retaliation helps ensure those issues are made known. Now would be a good time to ensure that the reporting process is working and effective.

5. Instilling a Culture of Compliance. As with every compliance effort, instilling a culture of compliance within the organization is important. Your employees are your best line of defense, as well as your biggest risk area when it comes to compliance efforts. Thus, having employees invest in adhering to HIPAA compliance efforts and understanding its importance goes a long way in your compliance efforts. In that regard, have leadership attend training sessions, reward compliance efforts, stress the importance of adherence to HIPAA policies and procedures, and disincentive inappropriate behavior. A compliant environment begins at the top.

Taking these steps as part of the “spring cleaning” of your HIPAA house will place your organization in a much better position to prevent a HIPAA incident or to respond to one when it occurs.