HIPAA Omnibus Compliance: Getting HelpHow to Get the Right Assistance at the Right Time
Many healthcare organizations are going to need assistance sifting through the HIPAA omnibus final rule and its complex compliance requirements.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
Smaller organizations that lack a HIPAA compliance expert or IT security specialist likely will seek some outside help. But even some larger organizations may seek advice about certain aspects of the regulation.
I suspect there will be plenty of legit and not-so-legit companies willing to assist.
Plenty of consultants, law firms and other companies offer compliance help. I predict that, in the weeks and months to come, "specialty" HIPAA Omnibus practices will pop up as part of these firms' offerings. I also anticipate that there will be lots of new companies that spring up to offer help.
But with all the assistance that some healthcare organizations will need in a short amount of time, given the compliance deadline of September, I suspect there will be plenty of legit and not-so-legit companies willing to assist.
So, organizations need to be very careful when choosing their HIPAA help. It's important to fully assess these compliance helpers to ensure you'll get sound advice.
And remember: Using the compliance services of a specialty firm does not guarantee your organization will be fully HIPAA compliant, so beware of consultants who promise that in their marketing pitches.
And before shelling out money to consultants, be sure to check out the resources available from the Department of Health and Human Services, state hospital associations, and professional organizations, including the American Health Information Management Association, says Judi Hofman, privacy and security officer at St. Charles Health System in Portland, Ore.
"There is a lot of free help out there from places like that, so look around first," Hofman says.
Do Your HomeworkSome steps to take when evaluating firms offering HIPAA compliance assistance include:
- Ask about the company's staff credentials and experience.
- Check references, especially previous HIPAA compliance clients.
- Find out how long the company has been in business, and how long it's been offering HIPAA compliance services.
- Ask about the specific compliance services available that are tied to various aspects of the massive new rule.
- Check if the company can provide staff training for HIPAA omnibus compliance, because training is such an essential component of any long-term compliance effort.
- Get at least three price quotes and make sure you're crystal-clear on the pricing model the advisory firm uses. Get a realistic estimate of the amount of time the project will take.
The HIPAA omnibus rule is 563 pages long, so sorting through all of its provisions will be time-consuming, even with outside assistance.
Key issues to address include:
- Keeping your risk assessment up to date;
- Figuring out who is a "business associate" and what should be included in your modified business associate agreements;
- Updating notices of privacy practices to reflect new requirements, such as alerting patients that they have the right to obtain an electronic copy of their records;
- Assessing breach incidents under the new notification standard to determine whether they need to be reported.
If you haven't already started digging into the HIPAA Omnibus Rule to figure out what you'll need to do to comply, it's time to get going. The longer you wait, the more difficult - and probably more expensive - it'll be to grab the best consultants for assistance, if that proves necessary.
Remember, HHS is promising tougher HIPAA enforcement. And the penalties for failure to comply are higher than ever. So there's a lot at stake.
"But don't panic," says Hofman the privacy and security officer. "It shouldn't be a huge surprise for most of us about what needs to be done. If you fooled yourself into waiting until the final rule before doing anything, then you have bigger problems."