HIPAA Omnibus: How CISOs Will ComplySecurity Leaders Outline Their Strategies
Healthcare privacy and security leaders are beginning to assess the work their organizations will need to do to comply with the recently published HIPAA omnibus rule.
For starters, hospitals, clinics and other healthcare organizations are preparing to modify their business associate agreements and patient privacy notices. They're also evaluating how to change the way they assess whether breaches need to be reported in light of new guidance in the rule (see: HIPAA Omnibus Rule Released).
But as an important first step, many are tackling the challenging task of mapping out responsibility for carrying out compliance work.
PeaceHealth, a delivery system with facilities in Washington, Oregon and Alaska, is designating "owners" for various compliance tasks, says Christopher Paidhrin, who'll soon take on the job of information services and technology administration manager.
"I mapped out both the privacy and security protocols from the HHS website and tagged each with an 'owner,'" Paidhrin explains. The owner is an executive or manager in charge of overseeing the project. Plus, an individual or team was designated with responsibility for executing each project, and a list of those who should be consulted or informed was prepared. Paidhrin then ranked projects based on deadlines and priorities.
A link to this responsibility and project matrix was added to PeaceHealth's project documentation repository. "Our thinking is that projects have milestones and timelines that can be managed and reported on," he says. Weekly progress reports help maintain project momentum, he adds. "The trending information provides us with a risk and compliance heat map for executives."
PeaceHealth also is reviewing and consolidating its policies, procedures and processes. "We have very clear policies, but they need to be tweaked for the final rule," Paidhrin says. "Our procedures are defined, but we need to make our documentation more complete. We're always looking for efficiencies in our processes."
The University of Pittsburgh Medical Center is also going through an assessment process. Privacy officers at each of its 20 hospitals are sizing up the compliance work that needs to be done at their facilities and the training their staff will need, says John Houston, vice president and privacy and information security officer.
Staff training also will be an important priority at St. Dominic Jackson Memorial Hospital, a 571-facility in Jackson, Miss. "I anticipate we'll be revising guidelines to ensure compliance with these regulations and taking a look at our training ... to see where we need to improve," says Dena Boggan, St. Dominic's HIPAA privacy and security officer.
At UAB Medical Center in Birmingham, Ala., initial compliance work will focus on identifying all documentation and processes where changes need to be made, says Shelia Searson, UAB medical center privacy officer.
"We will need to review almost everything 'HIPAA' - our [privacy] notice, policies, procedures, forms and documents. The changes contained in the omnibus final rule touch almost every HIPAA-related issue for our institution," she says.
For example, the academic medical center will need to make changes to patient authorization forms granting permission for UAB to use their data for research. Under HIPAA omnibus provisions, patients can give consent for their health information to be used in future research, rather than just for a specified study
"We believe that this change will help research efforts," Searson says. "The work ahead of us is to be certain, through procedure and language, that we clearly inform research participants about any future research so that they understand their information could be further used or disclosed."
Business Associate Agreements
Many organizations will be rewriting business associate agreements because the omnibus rule clarifies that these vendors with access to patient data must comply with HIPAA (see: Breach List: Business Associate Update).
At UMPC, Houston, an attorney who's already done work on thousands of business associate agreements, will take a lead role in amending the contracts. The changes to the agreements, he says, will be "narrowly focused to complying with HIPAA," so that there's no wiggle room for vendors to try negotiating out of those modifications, he stresses.
UPMC's supply chain management group will be responsible for contacting business associates about the changes and re-executing the contracts, he explains.
Under the final omnibus rule, covered entities have until Sept. 23, 2014, to make the needed amendments to HIPAA-compliant business associate agreements that were in effect by Jan. 25, 2013.
Advance planning will help St. Dominic tackle the challenge of altering business associate agreements, Boggan says.
Earlier, when the proposed version of HIPAA modifications were unveiled, the hospital started revisiting its business associate agreements, Boggan says. "For that reason, I don't anticipate we'll need to go through the process with our business associate agreements again, but I'll certainly be taking a look at our current language and compare it with the final rule, just to make sure."
Because of the changes brought about by the omnibus final rule, patient privacy notices need to be modified. For instance, they'll need to include language covering patients' rights to receive security breach notifications as well as electronic copies of their records. The notices also will need to explain the new HIPAA guidelines on using patient information for certain marketing purposes.
Houston contends that very few patients "actually read these notices" before signing them. As a result, UPMC will strive to make the notices more readable as it updates them.
The omnibus rule spells out in greater detail how to assess whether a security incident is a breach that must be reported.
Under the interim rule final breach notification rule, which has been in effect since September 2009, the decision to report breaches was based on a "harm standard," which involved assessing the risk of financial, reputational or other harm to the individuals whose information was breached. However, under the final version of the rule, covered entities, as well as business associates and their subcontractors, now must assess the probability that the protected health information has been compromised using a series of specific indicators (see: HIPAA Omnibus: Impact on Breach Notices).
As a result, UPMC will create a new flow chart of processes to assess incidents, replacing the chart used now for assessing harm, Houston explains. He suspects UPMC may see an increase in the number of breach notifications it issues under the revised rule because the old harm standard was far more subjective.
Boggan says St. Dominic already is well-prepared for the changes in how breaches are assessed under the new rule. "I had already adopted a risk analysis approach for evaluating breaches, so I don't anticipate much change in that process," she says.