HIPAA Survival Guide Newsletter, August 2021

Surveys of compliance suffer from bias due to personal concerns because respondents often are hesitant to report their conduct. Also, Governmental data has accuracy limitations due to their inability to detect abuses and/or are hidden and hard to find. HIPAA also suffers from bias and other health violations.

When compliance behavior is difficult to ascertain it may require an audit since the number of infractions may not reflect the actual number that exist. In addition, compliance audits seek to understand the impact of inspections.

Understanding compliance from the bottom-up captures social responses to a multitude of rules as they occur over a period of time. This focus is thus procedural to understand how we can capture compliance and business responses to the law.

This is called Compliance Dynamism. And it means that compliance varies for different rules, it varies over time, and businesses learn from one response to the next, daily. Compliance is situational. Procedurally, this means that compliance should be captured as a string of agile processes that occur in a specific context. Businesses face a multitude of clear rules, and compliance may change over time. The resulting picture will obviously be complex, unless one simply wants to capture any firm, at any point, for rules that have been broken. Naturally this could lead to firms being seen in violation.

Classifications are also used to see how regulators can help us classify the behavioral responses to rules. This means that compliance audits must look beyond measurement and numbers and use language to capture behaviors and processes as accurately as possible.

Most notably conflicts have been recognized between the U.S. Health Insurance Portability and Accountability Act (HIPAA) and other laws. For instance, “under HIPAA, a covered entity may charge a reasonable, cost-based fee when providing copies of PHI to an individual, whereas in 29 CFR 1910.1020, employers must provide the first copy of an employee’s medical record free of charge”. And as such, compliance does not entail the reaction to a particular rule but the response to many legal rules. We expect that in these processes there will be new learning, where our experiences with regard to one rule shapes the way, we think we must or can act in response to another. In daily operations in which compliance may require reiterated efforts, the dynamics of compliance may change when opportunities for violations shift.

Compliance Dynamism: Capturing the Polynormative and Situational Nature of Business Responses to Law; Yunmei Wu, Benjamin van Rooij