The Expert's View with Christopher Paidhrin

HIPAA Omnibus: 5 Compliance Tips

Insights on Taking Quick Action
HIPAA Omnibus: 5 Compliance Tips

Healthcare organizations waited a long time for the long-overdue HIPAA Omnibus Rule, which finally was released in January. Now it's time for them to hurry up with their compliance planning.

March 26 is the effective date, and Sept. 23 is the compliance enforcement date. The rule, which modifies the HIPAA privacy, security and enforcement rules as well as the HIPAA breach notification rule, includes greater accountability and documentation requirements, which complicate the rush for an execution plan. The solution may not be simple, but the first steps can be done quickly.

Step 1: Strategy. As with any business-critical project, you need to have a talented and capable leader - not a team or a committee, but a responsible individual who has the knowledge, authority and resources to map out your strategy, priorities and execution plan. Get this person fully engaged quickly.

Step 2: Design. Numerous healthcare associations, Internet resources and consultants can provide assistance with laying out the crosswalk between what's new in the final rule, what's changed from the earlier, proposed versions of its components and where the risks are. How complicated the mitigation plan is depends on how compliant your program is today. All healthcare organizations should be able to use the HHS Security Framework as a baseline and develop a compliance program.

Few will ever read the entire, lengthy HIPAA Omnibus Rule. So the best bet is to use the search feature of your pdf reader and look for "Final Rule." Read and understand every section that starts with this heading. Make sure you have good policies, documentation, processes and controls in place to meet each standard.

The National Institute of Standards and Technology offers numerous free guidelines for how to create and manage security programs, including a HIPAA Security Resource Guide and HIPAA Toolkit that should be updated soon to reflect the final rule.

Step 3: Operationalize Compliance. Simplicity is the operational goal of a compliance program. Measure yours against the metrics used by the Health and Human Services' Office for Civil Rights in its HIPAA audit program protocol. Compare your program of processes, controls, policies and training against the 78 security, 81 privacy and 10 breach elements. Wherever you recognize a gap, you've identified a risk.

Step 4: Transition Plan. First things should always come first. The risk heat map generated by Step 3 will identify your greatest exposure to non-compliance and the need for something new called "affirmative defenses." The rise in reporting of breach incidents, and hefty fines, will motivate your leadership to prioritize an aggressive remediation plan.

Step 5: Continuous Improvement. Excellence is the path, not an endpoint. The very best organizations build into their compliance programs a final project and process phase of continuous improvement. When hard-wired into your program, this iterative process affirms progress, reassures leadership and improves compliance.

The business value for you in these quick steps is the same as the core driver behind the HIPAA Omnibus Final Rule - to improve the quality, integrity, accessibility and confidentiality of your patient's protected health information.

It's time for some surefooted quick stepping.

Christopher Paidhrin, CRISC, is information security and technology administrator at PeaceHealth, a delivery system in the Pacific Northwest.

About the Author

Christopher Paidhrin

Christopher Paidhrin

Chief Information Security Officer, City of Portland

Prior to his role at the City of Portland, Paidhrin was the security administration and integrity manager in the compliance division of PeaceHealth, a healthcare delivery system in the Pacific Northwest, where he worked for 14 years. He previously served as PeaceHealth's IT security compliance officer. Prior to PeaceHealth, Paidhrin worked for many years in IT and business operations in higher education, the private sector and entrepreneurial environments, where he has held numerous director-level positions. He has also presented at numerous industry events.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.