HIPAA Compliance in the SpotlightEffective Date of HIPAA Omnibus a Reminder of Unfinished Tasks
The HIPAA Omnibus Rule goes into effect today, March 26. While organizations have until Sept. 23 to comply with the rules' many provisions, including modifications to the HIPAA security and privacy rules, recent federal breach investigations and audits have shown that many organizations are having trouble complying with basic HIPAA requirements that have been in place for years - much less the additional omnibus requirements.
Longstanding trouble spots in HIPAA compliance include: conducting a thorough and timely risk assessment; documenting those assessments as well as security policies and procedures; and training staff on compliance.
Because HIPAA Omnibus requires business associates and their subcontractors to comply with the HIPAA Security Rule and many provisions of the HIPAA Privacy Rule, hospitals, insurers and other covered entities now face the extra task of making sure their vendor partners are compliant (see: HIPAA Omnibus: Business Associate Tasks).
In addition to changes related to business associates, other major provisions of the HIPAA Omnibus Rule include:
- New guidance for how to assess whether to report a breach based on the probability of information being compromised (see: HIPAA Omnibus: Breach Notification Tips);
- A prohibition against covered entities selling patient information, such as for marketing, without patient authorization, and the need to modify notices of privacy practices to reflect that (see: HIPAA Omnibus: Consumer Protections);
- A requirement to provide patients with electronic copies of their records upon request;
- A requirement that covered entities not disclose to health insurers information about treatment or services if the patient pays out of pocket for the care (see: HIPAA Omnibus' Trickiest Provision).
Business Associates' Responsibilities
Business associates that "create, receive, maintain or transmit protected health information on behalf of a covered entity" are now directly liable for HIPAA compliance. And some of these vendors will have a lot of catching up to do to comply, says David Newell, director at CTG Health Solutions' Security Solutions Practice.
"Business associates being liable for HIPAA is the biggest sweeping change in omnibus," he says.
Security consultant Rebecca Herold says she's working with companies "that are making it a point to get in compliance with all the requirements as soon as possible. Why? Their covered entity clients are telling them they need to, or, more often, the covered entities that want to be their clients are making HIPAA compliance a requirement to do business."
Herold, partner at Compliance Helper and CEO at The Privacy Professor, a consulting firm, adds: "Business associates are now scrambling more than ever before to work on their compliance activities. However, I estimate there are still a good 50 percent or so that are still in denial about what they actually need to do."
Conducting a timely and thorough risk assessment, as well as documenting all security policies, are key components of a HIPAA compliance program, Newell stresses. Unfortunately, the last time that some organizations conducted a risk analysis was when the HIPAA Security Rule went into effect in 2005, he says. As a result, some organizations don't have a clue about how their risks have evolved.
The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, says that an insufficient risk analysis is among the top weak spots discovered during the agency's pilot HIPAA compliance audit program, which evaluated 115 organizations in 2012. Also, some of the breach-related settlements with OCR have noted risk analysis as an area of deficiency.
Experts point out that the lack of timely risk assessment has also played a key role in organizations failing to take other important measures, such as widespread implementation of encryption. OCR's "wall of shame" website shows that of the 556 major breaches that have occurred since September 2009, more than half have involved the loss or theft of unencrypted computing devices (see: Breach Tally: Encryption Still an Issue).
"One thing we're seeing is that some organizations will encrypt their laptops because they hear of breaches involving these devices, yet they don't have a solid plan for what to do with encryption because they haven't done a recent risk analysis," Newell says.
For instance, a risk analysis can help identify protected health information that's located on desktop computers or other devices that need protections, he says.
Sometimes covered entities need help to uncover where PHI is hidden in applications and databases, especially if they've been involved with a merger or acquisition, says Maureen Kaplan of Verizon's healthcare cloud and security services unit. "Many organizations have good controls around procedures, but not for application development, where PHI can be hidden," she says.
Write It Down
Documentation of all security steps provides critical proof of HIPAA compliance in case of a federal audit or investigation. Plus, it helps support development of staff education programs.
But too many organizations fail to document the findings of their risk assessments or create formal, written policies tied to new security-related processes, experts say.
For example, Newell has found that when some organizations implement security measures, such as using new anti-malware software, they fail to document the use of the software or explain in their policies their strategy for addressing viruses, he says. "There is no real policy, nothing gets documented, no records are kept," he says.
While the compliance efforts for HIPAA Omnibus could offer some organizations a fresh start to address HIPAA security and privacy issues they've neglected in the past, Chuck Christian, CIO of St. Francis Hospital in Columbus, Ga., says those laggards need to get moving soon.
"I'm sure that there are organizations that have been lulled into complacency due to the fact that 'nothing has happened' [in terms of breaches]," he says. "We all need to make certain that all of our ducks are in a row as we move forward."
Christian says it's important for organizations to stay vigilant about evolving threats and have adequate resources available for data security, going beyond a focus on HIPAA compliance.
Finally, making sure staff understand HIPAA security and privacy policies is critical to compliance - especially for the new provisions of HIPAA Omnibus, security experts say.
"Training is almost always inadequate," says Herold, the consultant. "Ongoing awareness reminders in-between training is often missing altogether."