Working with HIEs on HIPAA Compliance
4 Steps to Prepare for Omnibus Rule
When signing agreements with HIE organizations, "it's extremely important to address issues of what constitutes a breach, who's responsible for the notification and ... the costs associated with that," she says.
Under the HIPAA Omnibus Rule, which will be enforced starting Sept. 23, HIE organizations are considered business associates that are directly liable for HIPAA compliance.
As a result, HIE participants should find out how the organization running the exchange is addressing four key compliance issues, Oscislawski, who specializes in regulatory issues, says in an interview with Information Security Media Group.
First, participants should determine who at the HIE organization is responsible for compliance oversight, she says. "[The HIE organization] should be able to demonstrate that they have a structure in place and a group of people who have taken ownership of HIPAA and HITECH Act compliance," she says. That should include an organization's security and privacy officers, as well as legal counsel and others.
Second, participants should examine the HIE organization's security and privacy policies.
"Any HIE has to have well-developed HIPAA policies that ... address ... how the requirements and standards under HIPAA work in the HIE context," she says. "HIEs [policies] that have been thoughtfully developed will address [HIPAA] issues including the updates of Omnibus," she says.
Third, participants should make sure the HIE organization has sufficient compliance documentation. For HIEs, as well as for all business associates and covered entities under HIPAA, an array of compliance evidence needs to be written down.
"For instance, if you're addressing a breach, and you're trying to evaluate whether you need to notify, you have to document your process of determination," she says. Other important documentation includes a business associate agreement and a detailed security risk analysis.
Fourth, participants must ensure the HIE organization carries out its policies with sound processes.
For instance, "If you have [a policy] on how you dispose of your copy machines, but no one actually follows that policy, then you're going to end up in a [regulatory enforcement] situation" similar to one experienced recently by Affinity Health Plan, she says.Affinity in August agreed to pay federal regulators $1.2 million in a settlement tied to a 2010 incident that affected more than 340,000 individuals whose data was discovered on the hard drives of copy machines that had been returned to a leasing company.
In the interview, Oscislawski also discusses:
- More details about the impact of HIPAA Omnibus on health information exchanges and their participants;
- Steps HIEs should take to prevent breaches involving the data supplied by covered entities;
- Who's responsible when a breach involves an HIE.
Before founding Attorneys at Oscislawski, a healthcare law firm based in Princeton, N.J., Oscislawski was a healthcare attorney with a national law firm for almost a decade. In 2008, Gov. Jon Corzine appointed Oscislawski to the New Jersey Health Information Technology Commission to fill the seat reserved by statute for "an attorney practicing in this state with demonstrated expertise in health privacy." In 2010, Gov. Chris Christie reappointed Oscislawski to the HIT Commission, and she was also tapped to serve as chair of the State Privacy and Security Committee.
