HIPAA Audit: OCR Is On The Move
The HIPAA omnibus enforcement deadline of September 23rd is fast approaching, and with less than two months left, it’s time for covered entities and business associates to spruce up compliance efforts and tick-off tasks in the to-do list. Although the primary focus should be on updating security and privacy policies and procedures to meet the new requirements under the final rule, healthcare organizations should also make sure they have a breach response and notification plan in place.
The compliance countdown has started, and there are a number of requirements to be met. At this juncture, privacy and security experts offer tips on the goals that need to be accomplished and the milestones that need to be crossed. Here’s a brief look at the inputs offered by privacy attorneys Adam Greene and Kirk Nahra, and Security Consultant Rebecca Herold:
On Updating Policies
Healthcare entities need to act swiftly when it comes to updating privacy policies and procedures to meet the requirements of the Omnibus rule. According to Herold, this is crucial as business associates and subcontractors are also directly liable for compliance under the Omnibus rule. And more importantly, these policies and procedures also need to be documented. While most business associates still do not have documented policies and procedures for information security and protection of privacy, putting such policies in place and documenting them should be one of the first and foremost tasks.
According to Greene, the focus should be on policies that would govern the sale and use of PHI for marketing, patient access to electronic information, and on evaluating the best means to operationalize the restrictions on disclosures where patients pay out of their pockets. And Nahra is of the opinion that leaders should keep track of the progress in the HIPAA compliance plan, especially if the entity is a business associate which was not liable to comply before the Omnibus rule came into effect. However, a quick review of the compliance status is essential for every covered entity.
On Evaluating BAs and Subcontractors
Reviewing contracts with business associates and subcontractors is another important task that should be given top priority. All new contracts signed after the Omnibus rule was published in the Federal Register have to reflect the new requirements by September 23rd this year, and preexisting ones have time till September 23rd next year, to be modified. However, according to Greene, using an updated business associate agreement in cases where the contract is new is better than revising them again by September. While Nahra is of the opinion that BAs should ensure they have a plan for revising these agreements, Herold suggests that entities should take guidance from the business associate agreement template available on the HHS website.
However, before updating agreements, covered entities should know who their Business Associates are, because the Omnibus rule has redefined the term and expanded its scope to include all organizations that create, receive, maintain, or transmit PHI for a function or regulated activity.
On Preparing Staff
Healthcare entities have to ensure that their staff is aware of the changes brought about by HIPAA Omnibus, which include knowing how to report a suspected breach to the appropriate managers, and allowing patients to keep their health information about treatments private from insurers in cases where they have paid in cash.
Herold says that providing information security and privacy training to the personnel is of great importance as it directly relates to the Omnibus rule, which also requires healthcare entities to provide ongoing awareness to staff in addition to formal training. This process will not only help in complying with the new requirements under the Omnibus rule, but also act as a major step towards breach prevention.
In addition to this, a large majority of healthcare entities also have to provide a Notice of Privacy Practices and those that are already in effect have to undergo a significant number of changes to make place for new versions. These modifications should include an explanation of how patient information is used for marketing or fund raising, and should also describe their right to nondisclosure to insurers, where treatments are paid for in cash.
Covered entities have to cross these milestones before they reach the compliance deadline to avoid huge penalties and stringent legal action. But this wouldn’t be an easy task without the support of a comprehensive security and compliance management solution such as Aegify SecureGRC. Such a platform can prove handy at this point, as it comes with built-in frameworks for compliance with all aspects of the HIPAA Omnibus rule.
Related posts
