Healthcare compliance can be intimidating, especially when a provider is surrounded by misinformation and confusing regulations.
It can be a challenge for DCs to sift through marketing talk and fear tactics as it relates to Health Insurance Portability and Accountability Act (HIPAA) regulations and requirements. As a result, most providers make the mistake of ignoring all of it, only to find themselves facing a HIPAA violation that stops them in their tracks.
The ‘less fear, more action’ approach to compliance is a mindset shift from being controlled by fear to actively choosing to act despite fear. Instead of being overwhelmed with HIPAA compliance, and in a sense, giving in to fear of the unknown, a provider should take small steps, progressive actions to overcome the fear. A healthcare provider can act by addressing misinformation, a common cause of fear.
More action
The first action is to find a reliable source. You can avoid undue stress and frustration if you obtain compliance-related information from the source, such as the regulatory authorities. A certified compliance specialist or healthcare attorney may help you with the implementation aspect, but it is ultimately the provider’s responsibility to know the rules and regulations. If you read something or hear something, it is vital that you check the facts. Refrain from following what others say or do. You can take action by locating and bookmarking these HIPAA-related websites:
- US Department of Health and Human Services (HHS)
- Health IT.gov
- Office of the National Coordinator (ONC)
The second action is to learn the lingo of regulations. Knowing the difference between the rule makers and the enforcers can alleviate confusion and misunderstandings. Knowing the difference between a proposed rule vs. a final rule can reduce unnecessary stress. Check out A Guide to the Rulemaking Process for additional information.1
Facts vs. misinformation
Misinformation
The Office of Civil Rights (OCR) is conducting nationwide audits on all doctors. Get ready to be audited.
Fact
HHS provides the rules on HIPAA privacy and security. OCR is the enforcer. In November of 2024, the Office of Inspector General (OIG) conducted an audit on the OCR. Due to the increase in cyberattacks on healthcare organizations, the OIG audited the OCR’s program for performing periodic HIPAA audits, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The findings were that the OCR’s audits were “too narrowly scoped to effectively assess ePHI protections,” and the recommendation was to “enhance its HIPAA audit program.” The OCR responded to the audit with “the OCR does not have the financial or staff resources to expand the scope of HIPAA audits….” Mass audits of all doctors are not being carried out. It does appear that more thorough audits are a goal of the OCR. Most providers are investigated by the OCR because of a reportable breach or a HIPAA complaint filed by a patient, not a random audit. A full report and OCR’s response are available online.2
Misinformation
Every provider should immediately update their Notice of Privacy Practices (NPP) in consideration of the revised regulations surrounding the Reproductive Health Information (RHI) rule that became effective June 25, 2024.
Fact
Rule-making often falls into three stages. First, you have the interim rule. During this period, the regulatory authority addresses an issue, develops a plan and gathers comments from stakeholders. Then there is the Proposed Rule (Notice of Proposed Rulemaking (NPRM)). This is an official announcement and is published in the Federal Register. Additional comments are gathered during this stage as well. Then there is the final stage in which the Office of Information and Regulatory Affairs (OIRA) completes a final analysis, and it is published in the Federal Register as a Final Rule. Every Final Rule has an effective date. Normally, this is within 30-60 days of publication. The enforcement date (compliance date) is often later.
If your Notice of Privacy Practice will be impacted by this new rule, the compliance date for NPP changes is listed as February 16, 2026. Knowing the stage of the rule and enforcement date can alleviate frustration and help you take the proactive approach to compliance.3
Misinformation
The Reproductive Healthcare Privacy Final Rule requires doctors to update their Business Associate Agreements (BAAs) with all their vendors.
Fact
The Final Rule does not expressly require the BAAs to be updated. Not all business associates serve the provider in the same capacity. BAAs are not intended to be one-size-fits-all. The rule does require providers to evaluate their business relationships and determine who will take the lead in abiding by the disclosure requirements and attestation needs of the reproductive healthcare rule and then adding that requirement into the BAA.
Misinformation
The Breach Notification Rule reporting timeline has changed. Providers must report all breaches within 15 days.
Fact
The FTC Health Breach Notification Rule, which became effective in July 2024, relates to “personal health records that are NOT covered by HIPAA.” HHS did not update their Breach Notification Rule site page in 2024.
A proactive approach to healthcare compliance
It can be challenging to navigate the world of compliance and regulations. A reactive approach may seem easier and less costly at first but if you query those who have ignored compliance, you will soon see that shortcuts can be devastating. A proactive compliance approach may take more time at first, but the pros outweigh the cons.
HHS has provided insight into where they are headed with HIPAA regulations and rules in 2025. On December 27, 2024, the HHS through OCR issued a proposed rule to improve cybersecurity and better protect the US healthcare system from a growing number of cyberattacks.4 The proposed rule would modify the HIPAA Security Rule to “require health plans, healthcare clearinghouses and most healthcare providers and their business associates to strengthen cybersecurity protections for individuals’ protected health information.”
In October 2024, at the HHS/NIST Safeguarding Health Information conference in Washington, DC, the HHS presented the Risk Analysis Initiative for 2025. The OCR took the position that automated risk assessments or simple checkbox assessments do not assess the entire environment in which protected health information resides. Since each provider or practice is unique, each risk analysis should also be unique.
Most practices will choose to engage a third party to help with evaluating threats and vulnerabilities. When choosing a risk assessment service, be sure to refrain from using automated systems or online checkbox forms. Choose a specialist willing to track protected health information in your entire workflow and environment. Only by a thorough hands-on approach can you address the risk and create a compliant culture in your practice.
Set your compliance goals
As the HHS works hard in 2025 to develop revised standards and rules, your practice can take the proactive approach by completing a thorough risk assessment of your practice. Don’t stop there! In addition to the report, your practice should have detailed corrective actions along with documented target dates for completion. A risk assessment is the first step in implementing a compliant HIPAA program. It is the only way to identify the areas that are putting your practice and your patients’ information at risk.
Final thoughts
Remember, less fear, more action! Consult the regulatory authorities’ resources for your compliance requirements. Choose a compliance specialist who directs you to HHS resources and does not take shortcuts. Take the proactive approach by not putting off your HIPAA risk assessment and implementation.
JILL FOOTE currently contracts with KMC University as a subject matter expert. Previously, Foote served as senior manager of coding and practice management for the American Chiropractic Association (ACA), and she was instrumental in coordinating the association’s coding initiatives and educational campaigns. Prior to joining the ACA, she worked for more than 13 years in chiropractic billing and practice management. While working with doctors on a national level, she saw a growing need for training in HIPAA compliance, especially as it relates to technology in a healthcare setting. Foote holds a certification as a HealthCare IT Specialist and is currently the owner/operator of Easy Tech Compliance. For more information, contact jill@kmcuniversity.com.