The Department of Health and Human Services, in its auditing and enforcement activities, has confirmed that a lack of training is a common cause of HIPAA compliance difficulties. So it's taking several steps to help.
See Also: Rethinking Endpoint Security
This week, HHS unveiled several new online tools to educate healthcare providers and consumers about the HIPAA security and privacy rules. It also plans to issue guidance to assist healthcare organizations and business associates with HIPAA Omnibus Rule compliance. And it's considering calling attention to the need for HIPAA compliance training in Stage 3 of the HITECH Act's electronic health record incentive program.
Among the new HIPAA educational tools that HHS' Office for Civil Rights unveiled this week are:
- A series of fact sheets in eight languages to inform patients of their rights under HIPAA - and additional rights under HIPAA Omnibus;
- A training module, "Patient Privacy: A Guide for Providers," available on Medscape.org, which makes physicians and other healthcare providers eligible for free continuing education credits;
- A video, The HIPAA Security Rule, designed to provide smaller physician group practices with an overview of basic safeguards for protecting patient information and complying with the rule's requirements. Earlier this year, OCR released a series of videos targeting consumers that focus on various aspects of HIPAA.
The new resources are part of a larger HHS mission to raise overall awareness and understanding of HIPAA by patients and healthcare providers, says Rachel Seeger, an OCR information privacy outreach specialist.
In addition to the new tools unveiled this week, OCR plans to release a variety of guidance materials to help healthcare organizations and business associates comply with provisions of the HIPAA Omnibus Rule, including its updated breach notification rule, Seeger says. The HIPAA Omnibus guidance material will be released "before end of September if not sooner," she says (see: HIPAA Omnibus: Guidance Coming).
OCR's upcoming HIPAA omnibus guidance will include "frequently asked questions" and technical assistance covering a variety of topics, Seeger says.
Because OCR receives many inquiries about HIPAA Omnibus compliance from smaller providers, it plans to address their concerns in upcoming guidance material, she says (see: HIPAA Omnibus: Tips for Clinics).
The HIPAA Omnibus Rule went into effect March 26, but covered entities as well as their business associates have until Sept. 23 to comply.
Stage 3 Spotlight
In addition to OCR's efforts to offer HIPAA training, another unit of HHS is looking into ways to boost compliance education efforts among healthcare providers.
The Office of the National Coordinator for Health IT is in the early stages of devising rules for Stage 3 of the HITECH Act's electronic health record incentive program, slated to begin in 2016. In early discussions about Stage 3 requirements, the HIT Policy Committee's Privacy and Security Tiger Team, which advises ONC, is weighing whether the Stage 3 rules should highlight the importance of HIPAA training.
At an April 30 meeting, tiger team members discussed "spotlighting" in the Stage 3 meaningful use regulations the training requirements in the HIPAA Security Rule. That's because inadequate HIPAA training is one of the key deficiencies OCR has discovered in its enforcement actions, says Deven McGraw, tiger team chair.
David Holtzman, OCR's senior health information technology and privacy specialist, plans to give the tiger team a report on the results of last year's HIPAA compliance audits. The team will then use that report to support decisions on what HIPAA-related requirements to spotlight in the Stage 3 rule.
The meaningful use rule for Stage 1 of the EHR incentive program spotlights HIPAA's risk assessment requirement. The rule for Stage 2, which begins in 2014, highlights the need to assess the value of encryption of stored data.
Under the HITECH Act program, eligible providers must attest to meeting all program requirements to collect incentive payments. Participants face random audits to confirm their compliance with HITECH requirements.