HIPAA Omnibus: Top ChallengesSurvey Identifies Biggest Compliance Struggles
What key challenges are healthcare organizations facing in complying with the HIPAA Omnibus Rule? Our new survey provides some insights.
The soon-to-be-released Healthcare Information Security Today Survey found that training and educating the workforce about compliance is the biggest headache.
One key compliance challenge is revising breach assessment practices to comply with new guidelines for notification under HIPAA Omnibus.
Considering that frontline healthcare professionals and back-office staff deal with patients and their health information on a daily basis, getting the word out about changes to HIPAA compliance is vital, but I realize it's not easy. Those folks are super busy with their day-to-day duties. But missteps by staff, such as losing a mobile device, snooping at patient records, or e-mailing unsecured protected health information, are often the cause of health data breaches. So finding time for high-quality training is essential.
Other big HIPAA Omnibus compliance challenges, according to our third annual survey, involve signing new business associate agreements or revising existing contracts.
Under HIPAA Omnibus, business associates are directly liable for HIPAA compliance and are subject to fines that can range up to $1.5 million per HIPAA violation. We're hearing that some vendors are resisting spelling out in contracts exactly how they're protecting patient data under HIPAA. In fact, some vendors don't even want to acknowledge they are business associates, even though they have access to patient information.
Another key compliance challenge, according to our survey, is revising breach assessment practices to comply with new guidelines for notification under HIPAA Omnibus.
Previously, when determining whether a breach needed to be reported, organizations evaluated whether the incident was likely to cause an individual financial, reputational or other forms of "harm." Under HIPAA Omnibus, organizations need to more objectively assess four factors to determine whether an incident is a reportable breach. Those factors are:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
Yet another compliance challenge highlighted in our survey is providing individuals with access to their electronic records. Many organizations are still navigating how to provide patients access through patient portals and other means, while at the same time keeping the data private and secure.
In addition to dealing with ongoing compliance challenges, our survey shows almost 20 percent of entities haven't yet put into place a detailed compliance plan, even though enforcement began Sept. 23.
Much More to Come
In our survey, which was sponsored this year by (ISC)Â², we also asked CIOs, CISOs and other information security and privacy leaders from healthcare organizations about numerous other topics, including top security priorities, technology implementation plans, budgets and other initiatives for the year ahead.
So be sure to look for our extensive survey coverage in the weeks ahead, including feature stories, interviews, blogs, a webinar and a comprehensive report providing analysis.