This is the first of a two-part series of tips on preparing for the HIPAA omnibus rule to go into effect. The first part covers how to identify your organization's greatest risk in advance of the rule's enforcement.
More on HIPAA omnibus compliance
SearchHealthIT's compliance guide
Where meaningful use stage 2 and HIPAA omnibus collide
Retool your business associate agreements
The HIPAA omnibus rule went into effect in early 2013, and federal enforcement was set to begin this fall after a 180-day grace period expires Sept. 23. With this in mind, Jaime Dupuis, practice consultant for the Regional Extension Center of New Hampshire (RECNH) offered a checklist of compliance tasks for attendees of a recent webinar, some of whom were smaller physician practices and medical groups:
- Update your Notice of Privacy Practices (NPP). Dupuis gave examples from the Department of Veterans Affairs, Beth Israel Deaconess Medical Center, Harris County Hospital District Texas and Stanford University Hospitals as recently updated NPPs that might inspire your organization's next draft.
- Rework business associate agreements (BAAs) to reflect the fact that they are now directly liable for HIPAA compliance as well as subject to new breach notification rules.
- Make risk analysis an ongoing process that includes at minimum: defining and assembling a risk analysis team; evaluating the likelihood and impact of potential risks to protected health information (PHI); listing the findings (including the policy or security gaps) in the assessment; develop a work plan and timeline for mitigating risks; implement appropriate security measures to address identified risks; develop and refine written policies and procedures to fully comply with regulations; and, finally, have the team meet regularly to ensure continuous, reasonable and appropriate security protections.
- Work on highest-risk vulnerabilities first. Risk assessments are a big part of meaningful use attestation and HIPAA compliance moving forward. While only your own risk assessment reveals your own punch list of breach possibilities, HHS's Office of Civil Rights pegs physical theft of patient records the number-one cause of HIPAA violations (55%), followed by disclosure of PHI without patient consent (20%) and data lost/not accounted for (12%).
- Confirm that risk analyses cover the following topics: physical security of hardware and devices; password management and role-based security access; portable and mobile device policies; data encryption and network security. Administrative safeguards such as data backup and employee termination policies that also cut off former employees' network access should be covered as well.
- Strengthen your employee password policy and require employees to regularly change passwords. Get more advice on this topic -- and the whys behind it -- here.
- Employ a network firewall; install and regularly update antivirus software. While these two pieces of "data security 101" advice might not sound particularly earth-shattering, they bear repeating as many offices still aren't employing these basics.
Continue to part two for Jaime's PHI protection tips.