When passed in 1996, the Health Insurance Portability and Accountability Act was meant to create measures for patient data protection, one that would benefit patients, doctors and insurers alike. As such, compliance of the act is taken rather seriously, and those who violate it can face serious penalties. According to the American Medical Association violators can be fined between $100 to $50,000 per violation, usually depending on specific issue. Those who commit "willful neglect" can be fined between $10,000 and $50,000 per violation.

Given the sheer number of rules and guidelines built into HIPAA, even those who don't intend to violate the act may still do so with some frequency. In order to prevent just that, it's important that all complying bodies take certain measures in order to mitigate these penalties, both for the health of their business and their patients. 

1. Respond to breaches immediately
According to HIPAA legislation, all complying parties must report any breaches, or possible such breaches, within 30 days. If the violation isn't deemed as willful, then penalties won't be accrued. However, a series of corrective actions will still have be taken to address the breach. These can include:

  • Disciplining employees: While there's no standard for disciplinary action, it does have to be documented to the Department of Health and Human Services.
  • Implementing new safeguards: This could involve new firewalls in proprietary electronic software or security protocols like added password protection.
  • Modifying office policies: Shifts in general operating behavior can help plug holes caused by most breaches. 

2. Perform a security risk assessment
As its name might imply, security risk assessment is about understanding possible points of vulnerability before they become full-blown problems. In order to receive payment from the Centers for Medicare & Medicaid Services, eligible professionals and providers must run these assessments regularly, examining the administrative, physical and technical safeguards they have in place. In order to streamline the process, the Office of the National Coordinator for Health Information Technology and Office for Civil Rights created an SRA tool. Featuring 156 questions in all, the tool can generate a report that compiles a list of weaknesses, faulty systems and ineffective policies. The tool does not report the information, instead allowing health care offices to address these issues in-house. For even more assistance, there's also an SRA website featuring a user guide and tutorial video.

3. Document everything
HIPAA was meant to ensure a sense of accountability and patient data tracking. To do that, HIPAA required that medical organizations enact new levels of reporting and documentation. These measures can include systems activity reports, audit logs, user login summaries and annual HIPAA audit records. In order to maintain HIPAA compliance, organizations must maintain this documentation for a minimum of six years. That raises questions of storage, both physical and electronic, and how quickly these materials can be accessed. It's worth noting, though, that there are exclusions to the documentation rule. According to the U.S. Department of Health and Human Services, entities do not have to document oral communications.

4. Ongoing training
Front office employees are often on the frontline of HIPAA compliance, as they often work with documentation, patient interaction and overall communication. Because of that dynamic, it's of the utmost importance that employees undergo periodic training in order to maintain compliance. Firstly, this is going to help reinforce certain protocols and standards, ensuring that employees maintain certain prerequisite behaviors. Secondly, this training might also help pinpoint any confusion or misinformation employees might have accrued, which, like risk assessments, can preemptively address problems. Finally, training is also a way for an organization to protect itself. According to the University of North Carolina at Chapel Hill, organizations can avoid such penalties if they can prove that training procedures were in place