Although it's been a year since federal officials began enforcing the HIPAA Omnibus Rule, many covered entities and business associates are still struggling with even the most basic requirements, says security consultant Andrew Hicks.
The rule established many new HIPAA requirements and increased penalties for non-compliance.
"We are still seeing organizations that are not fully embracing or acknowledging that they are [liable for] HIPAA compliance," says Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire. "One year after HIPAA Omnibus ... went into effect, there's still that lack of interest, that lack of desire to become HIPAA compliant."
This is especially the case for many business associates, who under HIPAA Omnibus became directly liable for HIPAA compliance and subject to financial penalties for HIPAA violations from the Department of Health and Human Services' Office for Civil Rights. "They've been pulled into this reluctantly, and they don't understand what they're on the hook for," he says.
Also, many organizations still are having difficulty understanding their precise obligations under the HIPAA Security Rule, he says, because "it's very big, it's vague, it's risk-based. Organizations that are new to this or don't have dedicated [compliance] resources just throw up their hands into the air; they don't know where to start."
Hicks argues that the HIPAA Security Rule lacks "prescriptive control requirements" and that federal officials have not issued adequate compliance guidance.
"It would be nice if OCR overhauled the security rule and made it much more prescriptive. That would allow organizations to better harden their environments to prevent things like ... cybersecurity attacks. ..."
Completing the required risk assessment is challenging for many, Hicks says, because of a lack of resources to commit to the effort.
Too many covered entities attempting to comply with the new provisions of the HIPAA Omnibus Rule, as well as the original HIPAA privacy and security rules, take a "check list" approach rather than building a comprehensive security program, Hicks says. "There are a lot of things that they miss by not adopting a security framework or going at it with a security approach."
The motivation for improving HIPAA compliance should go far beyond avoiding the higher financial penalties for non-compliance established under HIPAA Omnibus, Hicks says. Organizations of all sizes must keep in mind that failing to properly protect data can put patients at serious risk, he stresses. "We just saw a few weeks ago that Community Health Systems had 4.5 million records breached; those are 4.5 million individual lives that may in some way, shape or form be affected."
In the interview, Hicks also discusses:
- The pattern of breaches that have been reported since enforcement of HIPAA Omnibus Rule began on Sept. 23, 2013;
- How to prepare for possible HIPAA enforcement activities, such as compliance audits;
- The long-term impact of HIPAA Omnibus.
Hicks has more than 10 years of experience in IT governance, including responsibilities specific to IT security, risk management, audit, business continuity, disaster recovery and regulatory compliance. His experience also includes implementing and managing IT internal control programs to maintain compliance with Sarbanes-Oxley, HIPAA, the HITECH Act and PCI.