Share this article on:
Just over 12 months ago the HIPAA Omnibus Rule was introduced to plug a number of gaps in the legislation and bring Business Associates more comprehensively under HIPAA Rules. The new Rule also brought financial penalties in line with the HITECH Act.
The amendment to HIPAA has been effective for a year now and it has been enforceable for 6 months. Not long is left before the Department of Health and Human Services’ Office for Civil Rights (OCR) starts conducting compliance audits again. It is currently preparing the second round of HIPAA compliance audits, in addition to investigating organizations reporting breaches of Protected Health Information (PHI)
The anniversary of the introduction of the rule will probably not feel like something worth celebrating for many organizations, especially those that have struggled under the new requirements. For those that have made the necessary updates to policies and procedures already, standards must not be allowed to slip. Now is a good time to take stock and assess compliance before the audits commence.
HIPAA Compliance Audits are Coming
The audits may be a number of months away, but compliance is already being very closely scrutinized. It is not just the OCR that is taking an interest. The Federal Trade Commission, Department of Personnel Affairs, Department of Justice, Puerto Rico Health Insurance Administration and state attorney generals are all looking at data breaches for HIPAA violations and fines can be issued by all.
The “wall of shame” – the breach portal on the OCR website – lists HIPAA breaches that have been reported to the HHS. It shows that the healthcare industry lacks the necessary protections to safeguard PHI, as each month numerous data breaches are reported and the records of hundreds of thousands of patients are being exposed.
In addition to data breaches, privacy rules must be adhered to. These rules restrict the use of PHI for marketing; how communications can be sent, and when and under what circumstances patient health information can be disclosed. These rules are also regularly being violated.
Under the Omnibus Rule, Business Associates can be fined directly for any HIPAA violations that they cause, but the Covered Entity (CE) can also be penalized for a data breach caused by a Business Associate. It is not sufficient to place total confidence in a BA to address all HIPAA-compliance issues; it is the responsibility of the CE to ensure that any organization beneath it has the policies in place to protect PHI and that these policies have been put into practice and are being followed.
Custom Compliance Plans Must be Developed
HIPAA Regulations do include a strict set of rules governing data security and privacy, although in many cases they leave it up to the CE to decide the best way to put protections in place. This means there is no one method of ensuring compliance and each organization will require a custom compliance plan. Policies must be developed – which must also be regularly revised and updated – and the staff must be trained on those policies and the requirements of HIPAA.
However, one of the most important elements of the Health Insurance Portability and Accountability Act is the risk assessment. All covered entities must conduct a comprehensive risk assessment of all systems, physical environments and administrative procedures to identify vulnerabilities. Only then can all of those vulnerabilities be managed. Due to the importance of the risk assessment, it is recommended that this task is outsourced to a specialist with the CE taking responsibility for continuous testing and updates.