HIPAA Omnibus: 5 Compliance TipsInsights on Taking Quick Action
Healthcare organizations waited a long time for the long-overdue HIPAA Omnibus Rule, which finally was released in January. Now it's time for them to hurry up with their compliance planning.
See Also: Creating a Culture of Security
March 26 is the effective date, and Sept. 23 is the compliance enforcement date. The rule, which modifies the HIPAA privacy, security and enforcement rules as well as the HIPAA breach notification rule, includes greater accountability and documentation requirements, which complicate the rush for an execution plan. The solution may not be simple, but the first steps can be done quickly.
As with any business-critical project, you need to have a talented and capable leader.
Step 1: Strategy. As with any business-critical project, you need to have a talented and capable leader - not a team or a committee, but a responsible individual who has the knowledge, authority and resources to map out your strategy, priorities and execution plan. Get this person fully engaged quickly.
Step 2: Design. Numerous healthcare associations, Internet resources and consultants can provide assistance with laying out the crosswalk between what's new in the final rule, what's changed from the earlier, proposed versions of its components and where the risks are. How complicated the mitigation plan is depends on how compliant your program is today. All healthcare organizations should be able to use the HHS Security Framework as a baseline and develop a compliance program.
Few will ever read the entire, lengthy HIPAA Omnibus Rule. So the best bet is to use the search feature of your pdf reader and look for "Final Rule." Read and understand every section that starts with this heading. Make sure you have good policies, documentation, processes and controls in place to meet each standard.
The National Institute of Standards and Technology offers numerous free guidelines for how to create and manage security programs, including a HIPAA Security Resource Guide and HIPAA Toolkit that should be updated soon to reflect the final rule.
Step 3: Operationalize Compliance. Simplicity is the operational goal of a compliance program. Measure yours against the metrics used by the Health and Human Services' Office for Civil Rights in its HIPAA audit program protocol. Compare your program of processes, controls, policies and training against the 78 security, 81 privacy and 10 breach elements. Wherever you recognize a gap, you've identified a risk.
Step 4: Transition Plan. First things should always come first. The risk heat map generated by Step 3 will identify your greatest exposure to non-compliance and the need for something new called "affirmative defenses." The rise in reporting of breach incidents, and hefty fines, will motivate your leadership to prioritize an aggressive remediation plan.
Step 5: Continuous Improvement. Excellence is the path, not an endpoint. The very best organizations build into their compliance programs a final project and process phase of continuous improvement. When hard-wired into your program, this iterative process affirms progress, reassures leadership and improves compliance.
The business value for you in these quick steps is the same as the core driver behind the HIPAA Omnibus Final Rule - to improve the quality, integrity, accessibility and confidentiality of your patient's protected health information.
It's time for some surefooted quick stepping.
Christopher Paidhrin, CRISC, is information security and technology administrator at PeaceHealth, a delivery system in the Pacific Northwest.