By Julie-Karel Elkin

  1. Act Now: Compliance with HIPAA, HITECH and all the other rules and regulations, as irritating as they may be, is mandatory, and requirements continue to expand. Refusing to address it in a serious way can cost hundreds of thousands of dollars in penalties to your practice.
  2. Understand the Issues: Data privacy and security for personal health information (PHI), personally identifiable information (PII) and other materials is wide ranging, so unless you know what you are looking for, you run the risk of missing something the investigators will find immediately (and if you just thought, “what investigators?” you have no idea what you are up against).
  3. Think Differently: Compliance can happen, and it can be accomplished with reasonable diligence for a reasonable price, but you have to get the right people in place to get it done now and to keep it under control.
  4. Review and Improve: Office for Civil Rights (OCR) investigators through the Department of Health and Human Services are looking for non-compliance, and the fastest way to invite them to do a full investigation is to show them a policy manual that hasn’t been updated, reviewed or changed in the past two years, along with the accompanying documentation to prove who reviewed it, why and how it was changed.
  5. Audit and React: Compliance requires at least an annual audit of systems and procedures, along with training for all personnel, licensed professionals included, as to the changes in policy and why they were made.
  6. Workforce: Compliance demands that you look at your personnel to determine who has access to information. A determination must to be made regarding whether each individual should have access to the data or whether access to a limited dataset more appropriate for privacy and security is needed.
  7. Physical Space: Certainly locks on doors are a requirement, but computer access through unique passwords, remote access to information, software management and even properly designed work areas that avoid unintended viewing by the public as well as non-essential personnel is required for most practices.
  8. Manage Devices: Do you even know if your workforce has any of your practice data on their personal devices or laptop computers and where those devices are located? An old, lost or stolen device can lead to a million dollar fine.
  9. Monitor: Someone has to be charged with the task of monitoring the rules and regulations and how they are applied in your practice. Since fines are generally calculated by each incident category and multiplied by the number of patients affected times the number of days outstanding, which could be years, the faster a breach is caught, the less it may cost.
  10. Engage: As you know, it starts from the top, and the attitude you reveal about compliance will likely filter down to your workforce. The better plan of action is to get a compliance review and make compliance happen.


Julie-Karel Elkin is the Chief Compliance Officer at Spicer Rudstrom and has been practicing law for more than 20 years. She is focused in the areas of HIPAA compliance and data security, and she has developed a full suite of PHI and PII compliance measures for clients, large and small. She is currently providing privacy and security reviews for health care providers and business associates in anticipation of Phase 2 Audit Procedures from the Office of Civil Rights at the Department of Health and Human Services. She is the head of Spicer Rudstrom’s Health Data practice in the firm’s Nashville office.