This is the first of a two-part series of tips on preparing for the HIPAA omnibus rule to go into effect. The first part covers how to identify your organization's greatest risk in advance of the rule's enforcement.
More on HIPAA omnibus compliance
Where meaningful use stage 2 and HIPAA omnibus collide
Retool your business associate agreements
The HIPAA omnibus rule went into effect in early 2013, and federal enforcement was set to begin this fall after a 180-day grace period expires Sept. 23. With this in mind, Jaime Dupuis, practice consultant for the Regional Extension Center of New Hampshire (RECNH) offered a checklist of compliance tasks for attendees of a recent webinar, some of whom were smaller physician practices and medical groups:
- Update your Notice of Privacy Practices (NPP). Dupuis gave examples from the Department of Veterans Affairs, Beth Israel Deaconess Medical
County Hospital District Texas and Stanford
University Hospitals as recently updated NPPs that might inspire your organization's next
- Rework business
associate agreements (BAAs) to reflect the fact that they are now directly liable for HIPAA
compliance as well as subject to new breach notification rules.
- Make risk
analysis an ongoing process that includes at minimum: defining and assembling a risk analysis
team; evaluating the likelihood and impact of potential risks to protected health information
(PHI); listing the findings (including the policy or security gaps) in the assessment; develop a
work plan and timeline for mitigating risks; implement appropriate security measures to address
identified risks; develop and refine written policies and procedures to fully comply with
regulations; and, finally, have the team meet regularly to ensure continuous, reasonable and
appropriate security protections.
- Work on highest-risk vulnerabilities first. Risk
assessments are a big part of meaningful use attestation and HIPAA compliance moving forward.
While only your own risk assessment reveals your own punch list of breach possibilities, HHS's
Office of Civil Rights pegs physical theft of patient records the number-one cause of HIPAA
violations (55%), followed by disclosure of PHI without patient consent (20%) and data lost/not
accounted for (12%).
- Confirm that risk analyses cover the following topics: physical security of hardware and
devices; password management and role-based security access; portable and mobile device policies;
data encryption and network security. Administrative safeguards such as data backup and employee
termination policies that also cut off former employees' network access should be covered as
your employee password policy and require employees to regularly change passwords. Get more
advice on this topic -- and the whys behind it -- here.
- Employ a network firewall; install and regularly update antivirus software. While these two pieces of "data security 101" advice might not sound particularly earth-shattering, they bear repeating as many offices still aren't employing these basics.
Continue to part two for Jaime's PHI protection tips.
This was first published in August 2013