The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance: A Year on from the Omnibus Rule

Posted By on Apr 24, 2014

It has been a little over a year since the Omnibus Rule brought HIPAA legislation in line with HITECH, and it has now been six months since adoption of all aspects of the rule became mandatory, and HIPAA compliance has been enforceable.

The Omnibus Rule may not have introduced any major legislation changes, although it did contain a huge number of amendments to HIPAA to fine tune the bill and tighten up the language, as well as bring Business Associates into the fold and increase the financial penalties for non-compliance.

The Department of Health and Human Services’ Office for Civil Rights will need to assess for compliance with the Omnibus Rule and is expected to do so in the next round of audits scheduled to commence in the fall of this year.

While covered organizations have a few months before the auditors come knocking. However when they do, they will be looking for evidence of measures that have been implemented to comply with HIPAA Privacy and Security Regulations; now is therefore no time for rest. It’s time to get prepared.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There are also many government agencies looking closely at the healthcare industry and many are actively fining organizations for HIPAA violations. The Federal Trade Commission, the Puerto Rico Health Insurance Administration and State Attorney Generals are all allowed to impose fines for violations of HIPAA Rules and are doing so. The fines are considerable, with up to $1.5 million imposable by the OCR for each violation category, per year that the violation has persisted.

Business Associates featured heavily in the legislation, as their actions are now government by HIPAA. Marketing use of PHI was also limited.

Preparing for a Audit and Achieving HIPAA-Compliance

HIPAA is flexible and allows covered organizations to select the methods they believe appropriate to protect PHI and ensure patient privacy. Many of the rules are more like recommendations, being only addressable rather than mandatory. This means a compliance plan must be developed for each specific organization, but that it can be adapted to be relevant.

There are a number of steps that can be taken to ensure compliance. Detailed below are some of the key areas that OCR auditors discovered organizations were struggling with during the pilot round of compliance audits.

Conduct a Comprehensive Risk Analysis

It is imperative that a comprehensive risk analysis is conducted to identify all security vulnerabilities. If a risk analysis is not conducted, there is no way of determining if the current safeguards in place to protect PHI are sufficient. It is best to employ an external specialist agency to conduct the risk analysis to ensure that all security vulnerabilities are identified.

Develop Policies and Procedures to Manage Risk

Policies and procedures must be developed, and documented, and these must be revised and updated on a regular based. Signed Business Associate Agreements must be obtained from all third party contractors and vendors who are required to come into contact with PHI.

Train the Workforce on HIPAA Rules

Policies and procedures are of little use if the staff is not trained on their importance. Full training must be provided on the staff’s obligations under HIPAA Rules, including when PHI can be accessed and disclosed. The staff must also be tested on their knowledge, and all training and testing documented. Employees must be made aware of the repercussions for not adhering to HIPAA Rules.

Compliance is an Ongoing Process

You can breathe a sigh of relief when you have implemented all of the appropriate safeguards to protect PHI, and have ensured adherence to HIPAA Privacy, Security and Breach Notification Rules. However, continued compliance requires ongoing efforts to be made. IT systems need to be upgraded and updated, new technology is introduced and HIPAA Rules and Regulations change. You should therefore conduct a risk assessment at least every 12 months and also following any material change in HIPAA Rules.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist