HIPAA Compliance: A Year on from the Omnibus Rule

It has been a little over a year since the Omnibus Rule brought HIPAA legislation in line with HITECH, and it has now been six months since adoption of all aspects of the rule became mandatory, and HIPAA compliance has been enforceable.

The Omnibus Rule may not have introduced any major legislation changes, although it did contain a huge number of amendments to HIPAA to fine tune the bill and tighten up the language, as well as bring Business Associates into the fold and increase the financial penalties for non-compliance.

The Department of Health and Human Services’ Office for Civil Rights will need to assess for compliance with the Omnibus Rule and is expected to do so in the next round of audits scheduled to commence in the fall of this year.

While covered organizations have a few months before the auditors come knocking. However when they do, they will be looking for evidence of measures that have been implemented to comply with HIPAA Privacy and Security Regulations; now is therefore no time for rest. It’s time to get prepared.

There are also many government agencies looking closely at the healthcare industry and many are actively fining organizations for HIPAA violations. The Federal Trade Commission, the Puerto Rico Health Insurance Administration and State Attorney Generals are all allowed to impose fines for violations of HIPAA Rules and are doing so. The fines are considerable, with up to $1.5 million imposable by the OCR for each violation category, per year that the violation has persisted.

Business Associates featured heavily in the legislation, as their actions are now government by HIPAA. Marketing use of PHI was also limited.

Preparing for a Audit and Achieving HIPAA-Compliance

HIPAA is flexible and allows covered organizations to select the methods they believe appropriate to protect PHI and ensure patient privacy. Many of the rules are more like recommendations, being only addressable rather than mandatory. This means a compliance plan must be developed for each specific organization, but that it can be adapted to be relevant.

There are a number of steps that can be taken to ensure compliance. Detailed below are some of the key areas that OCR auditors discovered organizations were struggling with during the pilot round of compliance audits.

Conduct a Comprehensive Risk Analysis

It is imperative that a comprehensive risk analysis is conducted to identify all security vulnerabilities. If a risk analysis is not conducted, there is no way of determining if the current safeguards in place to protect PHI are sufficient. It is best to employ an external specialist agency to conduct the risk analysis to ensure that all security vulnerabilities are identified.

Develop Policies and Procedures to Manage Risk

Policies and procedures must be developed, and documented, and these must be revised and updated on a regular based. Signed Business Associate Agreements must be obtained from all third party contractors and vendors who are required to come into contact with PHI.

Train the Workforce on HIPAA Rules

Policies and procedures are of little use if the staff is not trained on their importance. Full training must be provided on the staff’s obligations under HIPAA Rules, including when PHI can be accessed and disclosed. The staff must also be tested on their knowledge, and all training and testing documented. Employees must be made aware of the repercussions for not adhering to HIPAA Rules.

Compliance is an Ongoing Process

You can breathe a sigh of relief when you have implemented all of the appropriate safeguards to protect PHI, and have ensured adherence to HIPAA Privacy, Security and Breach Notification Rules. However, continued compliance requires ongoing efforts to be made. IT systems need to be upgraded and updated, new technology is introduced and HIPAA Rules and Regulations change. You should therefore conduct a risk assessment at least every 12 months and also following any material change in HIPAA Rules.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.