HIPAA Omnibus: The Deadline DashCritical Tasks to Finish Before Enforcement Begins
With less than two weeks until the Sept. 23 enforcement date for the HIPAA Omnibus Rule, covered entities and business associates should be finishing a variety of privacy and security compliance tasks.
Among the compliance chores that need to be wrapped up are finalizing new notices of privacy practices provided to patients; updating security and privacy policies; ensuring the workforce is properly trained on key issues, including breach notification; identifying business associate relationships and tweaking agreements; and making sure that risk assessments are up-to-date and well-documented, security and privacy experts tell Information Security Media Group.
Those organizations that aren't keeping up with those and other related tasks risk falling short of full compliance with HIPAA Omnibus. And penalties for HIPAA non-compliance can be as much as $1.5 million per violation.
Tying Up Loose Ends
By now, covered entities, including hospitals, physician groups and health plans, should have their updated notice of privacy practices with an effective date of Sept. 23 ready to go.
Those notices should reflect updated policies and procedures for providing electronic copies of protected health information to patients upon request, as called for under the new rule. They also should educate patients about the rule's new restrictions on disclosing PHI for marketing and fundraising, says Kate Borten, principal at The Marblehead Group consulting firm.
Notices of privacy practices also must be updated to describe that patients now have the right to restrict disclosures of treatment to health plans if the patient paid for treatment out of their own pocket, says Matthew Jackson, a director at business consulting firm Protiviti. Plus, organizations should ensure they have a process in place to carry out patient requests that information not be disclosed to their insurer under these circumstances, he stresses.
The notices must also include a statement that the covered entity is required to notify affected individuals following a breach, he adds.
In addition to finalizing notices and policies, it's also vital to provide related training to the workforce, experts advise.
"Communicate the updated policies and procedures to the workforce members. Make sure they understand them, and know where to refer to them at any time during their work activities," says security specialist Rebecca Herold, a partner at the Compliance Helper and CEO of The Privacy Professor, a consulting firm.
"Send out an awareness communication reminding workers of what they need to be doing to comply with HIPAA requirements during their daily work activities," she advises. "Include some recent news examples to show how other organizations have had breaches and/or compliance sanctions as a result of not effectively following privacy and security policies and procedures."
Staff also should be trained on updated procedures for incident assessment, response and reporting in light of the HIPAA Omnibus requirements.
"Communication should be a priority not simply because of the recent scrutiny placed on covered entities and business associates alike, but also for facilitating effective compliance practices in an ongoing manner," Jackson says. "Organizations should ensure everyone involved is aware of their responsibilities and has the support necessary to perform accordingly."
A poorly prepared staff increases the risk of a workforce member making potentially very expensive missteps after Sept. 23, when federal enforcement ramps up.
"It is critical that a CE or BA's workforce is trained on HIPAA awareness, the policies and procedures within the organization," says Stevie Davidson, CEO and president of Health Informatics Consulting. "If that has not been done, it increases the risk of a workforce member making a critical mistake when handling PHI."
Organizations should be prepared to use the new rule's four-factor guidance on assessment of breaches by Sept. 23. And they should consider using that guidance immediately if a breach occurs before the enforcement deadline, experts say.
The four factors to be considered in determining whether an incident is a reportable breach under HIPAA Omnibus include:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
"While not formally required, organizations may choose to begin using the four-factor assessment of potential breaches in advance of the deadline, assuming such processes have been designed effectively and are ready to be put in place," Jackson says. "In the event that a potential breach is experienced before the deadline, the organization may very well modify/fine-tune their processes based upon lessons learned during that period."
Davidson says using the four-factor approach to breach assessment now, even though it is not yet required, "will allow for the appropriate documentation, process, procedures, communications, and controls to be put in place within an organization so that when 9/23 does come, you are in a good place to begin implementation of the new assessment."
Bob Chaput, CEO of Clearwater Compliance, reminds organizations that it's also important to keep breach response plans updated in the months and years ahead. "Document and maintain a living, breathing remediation plan," he suggests, because that demonstrates a good-faith effort in case a breach does occur.
Business Associate Relationships
Under HIPAA Omnibus, business associates and their subcontractors for the first time are directly liable for HIPAA compliance. And that means, in certain cases, that new or updated BA agreements need to be put in place this month.
Agreements tied to new BA relationships and contract renewals that were signed after the HIPAA Omnibus Rule was published in the Federal Register on Jan. 25 need to reflect Omnibus requirements by Sept 23. Pre-existing BA contracts have to be modified by Sept. 23, 2014.
Business associates must keep in mind that they now need BA agreements with their subcontractors.
Covered entities also need to more carefully track their BA relationships, Borten advises. "I suggest tracking all BAs, including a brief description of the BA's services, BA's contact information, date of BA contract signing, and internal 'sponsor' or contact for each BA. This list should be reviewed periodically to ensure all BAs are identified and contracts are up to date," she says.
Analysis and Documentation
Another important task that's been a weak spot for many covered entities is preparing a thorough HIPAA risk analysis.
"A covered entity needs to focus on getting their HIPAA-HITECH privacy and security risk assessment completed as well as ensuring they have an updated HIPAA manual with HITECH and Omnibus updates for both privacy and security policies and procedures," Davidson says. "In addition to performing their assessment, operational compliance and a well-documented internal compliance plan to manage their program should also be in place. This is what the OCR will look for immediately in an audit."
The permanent HIPAA security audit program, which will encompass business associates as well as covered entities, is expected to begin during fiscal 2014, which starts on Oct. 1.
And Jackson stresses that organizations must carefully document their risk analysis processes to provide proof during a potential audit. "Documented evidence ... [should] demonstrate the efforts an organization has undertaken to evaluate the sufficiency of privacy and security compliance practices and for addressing risks to ePHI," he says.
Organizations also need to ensure they've got evidence to show they're been mitigating risks.
"Action must be taken to address known deficiencies in a reasonable time frame," Jackson says. "Documented remediation plans, identified responsible parties, deadlines, and status or progress updates should be readily available. ... If such documentation is not available, organizations should be determining whether additional action may be warranted prior to upcoming deadlines."