HIPAA Omnibus: How CISOs Will Comply

Security Leaders Outline Their Strategies

By , January 30, 2013.
HIPAA Omnibus: How CISOs Will Comply

Healthcare privacy and security leaders are beginning to assess the work their organizations will need to do to comply with the recently published HIPAA omnibus rule.

See Also: More Threat Vectors, More Security & Compliance Challenges

For starters, hospitals, clinics and other healthcare organizations are preparing to modify their business associate agreements and patient privacy notices. They're also evaluating how to change the way they assess whether breaches need to be reported in light of new guidance in the rule (see: HIPAA Omnibus Rule Released).

But as an important first step, many are tackling the challenging task of mapping out responsibility for carrying out compliance work.

Assigning Responsibility

PeaceHealth, a delivery system with facilities in Washington, Oregon and Alaska, is designating "owners" for various compliance tasks, says Christopher Paidhrin, who'll soon take on the job of information services and technology administration manager.

"I mapped out both the privacy and security protocols from the HHS website and tagged each with an 'owner,'" Paidhrin explains. The owner is an executive or manager in charge of overseeing the project. Plus, an individual or team was designated with responsibility for executing each project, and a list of those who should be consulted or informed was prepared. Paidhrin then ranked projects based on deadlines and priorities.

A link to this responsibility and project matrix was added to PeaceHealth's project documentation repository. "Our thinking is that projects have milestones and timelines that can be managed and reported on," he says. Weekly progress reports help maintain project momentum, he adds. "The trending information provides us with a risk and compliance heat map for executives."

PeaceHealth also is reviewing and consolidating its policies, procedures and processes. "We have very clear policies, but they need to be tweaked for the final rule," Paidhrin says. "Our procedures are defined, but we need to make our documentation more complete. We're always looking for efficiencies in our processes."

Setting Priorities

The University of Pittsburgh Medical Center is also going through an assessment process. Privacy officers at each of its 20 hospitals are sizing up the compliance work that needs to be done at their facilities and the training their staff will need, says John Houston, vice president and privacy and information security officer.

Staff training also will be an important priority at St. Dominic Jackson Memorial Hospital, a 571-facility in Jackson, Miss. "I anticipate we'll be revising guidelines to ensure compliance with these regulations and taking a look at our training ... to see where we need to improve," says Dena Boggan, St. Dominic's HIPAA privacy and security officer.

At UAB Medical Center in Birmingham, Ala., initial compliance work will focus on identifying all documentation and processes where changes need to be made, says Shelia Searson, UAB medical center privacy officer.

"We will need to review almost everything 'HIPAA' - our [privacy] notice, policies, procedures, forms and documents. The changes contained in the omnibus final rule touch almost every HIPAA-related issue for our institution," she says.

For example, the academic medical center will need to make changes to patient authorization forms granting permission for UAB to use their data for research. Under HIPAA omnibus provisions, patients can give consent for their health information to be used in future research, rather than just for a specified study

"We believe that this change will help research efforts," Searson says. "The work ahead of us is to be certain, through procedure and language, that we clearly inform research participants about any future research so that they understand their information could be further used or disclosed."

Business Associate Agreements

Many organizations will be rewriting business associate agreements because the omnibus rule clarifies that these vendors with access to patient data must comply with HIPAA (see: Breach List: Business Associate Update).

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anthem's Audit Refusal: Mixed Reaction

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government...

Latest Tweets and Mentions

ARTICLE Anthem's Audit Refusal: Mixed Reaction

Privacy and security experts are offering mixed reviews of Anthem Inc.'s denial of a government...

The ISMG Network