HIPAA Omnibus Compliance Help On WayHHS Rolling Out Web-based Educational Tools
The Department of Health and Human Services will provide educational tools to help healthcare organizations and their business associates comply with the HIPAA Omnibus Rule.
The HHS Office for Civil Rights, which enforces HIPAA, plans to make available online a number of compliance tools at about the time the rule goes into effect on March 26, says Susan McAndrew, OCR deputy director of health information privacy. The compliance deadline for the rule is Sept. 23.
McAndrew revealed the plans in a Feb. 19 presentation at the HIPAA Summit in Washington.
The new online educational resources will include:
- A breach risk assessment tool offering guidance about how covered entities and business associates can determine if notification of a breach is warranted under the new standard for determining whether data was compromised (see: HIPAA Omnibus: How CISOs Will Comply);
- Guidance on how covered entities should determine the "minimum necessary" amount of information to be disclosed to business associates or others to deliver healthcare or perform a business function;
- Compliance tools tailored to assist smaller healthcare entities;
- Modification of previously released HIPAA training for state attorneys general so it can be used by covered entities;
- Expanded consumer materials, including YouTube videos and fact-sheets in seven languages explaining patient rights and other aspects of the final rule.
These new tools will join other resources that HHS has already released to assist healthcare providers and others with HIPAA security and privacy rule compliance, including:
- Recently released sample language to include in business associate contract modifications;
- Data de-identification guidance for protecting patient information used in research and stored in large data bases;
- Risk analysis guidance, which has been available for several years; and
- Mobile device security tips, which were released in December by the Office of the National Coordinator for Health IT.
McAndrew says OCR hopes that all the tools will help organizations deal with HIPAA compliance issues that OCR has identified as problem areas, especially risk assessments.
"One of the most consistent findings [OCR is seeing] is failure to conduct risk assessments of where protected health information is vulnerable," says OCR Director Leon Rodriguez, who also spoke at the HIPAA Summit.
Stepping Up Enforcement
Under HIPAA Omnibus, enforcement will become tougher, Rodriguez stresses. That includes OCR enforcement of HIPAA as a result of breach investigations as well as random audits.
"Omnibus in many ways vastly expands the reach of the security and privacy rules," he adds. "It brings business associates and subcontractors accountable the same way covered entities are."
From September 2009 through the end of 2012, OCR received 77,200 HIPAA complaints, investigated 27,500 cases, issued 18,600 corrective actions and collected $14.9 million in fines and resolution settlements, Rodriguez says.
Addressing OCR's recent settlements, some of which resulted from investigations of smaller breaches at smaller organizations, Rodriguez says, "We're not targeting any particular ... sector of healthcare delivery. Instead we're looking for patterns of privacy and security breaches," including violations that seem to be longstanding and have a high risk of causing harm to individuals.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.