HIPAA Omnibus: 4 Timely Compliance TipsExperts Share Insights for Staying on Track
The HIPAA Omnibus Rule takes effect March 26, but the date that really counts is Sept. 23. That's when enforcement of the rule kicks in by the Department of Health and Human Services' Office for Civil Rights. But the next six months will fly by fast, and experts say healthcare organizations and business associates should take compliance steps now.
In tackling everything that needs to be accomplished by Sept. 23, Shelia Searson, privacy officer at UAB Medical Center in Birmingham, Ala., says it's important to maintain a detailed to-do list.
"Although each covered entity will have their major projects to be completed, none can disregard the small issues to be completed as well," she says. "There is much to be done. This 'to-do' list will change over the next months as new details surface and as other details are completed, but it will also help you stay on track to meet the compliance date with time to spare."
Four key chores to accomplish, experts advise, include: Making sure business associates follow new compliance requirements; changing internal policies and procedures related to HIPAA modifications, such as obtaining patient consent for using protected health information for marketing or fundraising purposes; updating notices of privacy practices; and fine-tuning breach notification assessments.
1: Evaluate Business Associate Relationships
HIPAA Omnibus clarifies that business associates and their subcontractors are directly responsible for compliance with the HIPAA Security Rule and many components of the HIPAA Privacy Rule. The rule expands the definition of a business associate to include health information organizations that run health information exchanges, e-prescription gateways, and any entity that "creates, receives, maintains or transmits, protected health information on behalf of a covered entity."
So before they can amend or create business associate agreements, hospitals, clinics and other covered entities must create an inventory of all their partners. And that can be a tall order- larger entities could depend on the services of hundreds of vendors.
Covered entities generally have until Sept. 23, 2014, to update business associate agreements that were in place as of Jan. 25, 2013. Most new business associate agreements, as well as renewals, need to be modified to reflect the HIPAA Omnibus changes by Sept. 23, 2013.
Mac McMillan, CEO of IT security consulting firm CynergisTek, advises hospitals and others to carefully examine their accounts payables list for all parties with which they do business to determine which ones qualify under the expanded BA definition.
Rita Bowen, chief privacy officer of HealthPort, a provider of health information management services, advises organizing vendor contracts based on their renewal dates, so that those business associate agreements that need to be modified by Sept. 23, 2013, are taken care of first.
The modified business associate agreements need to clearly state that the vendor must now comply with the technical, administrative and physical safeguard requirements under the HIPAA Security Rule and is liable for non-compliance, stresses Tom Walsh, an independent healthcare security consultant.
Plus, covered entities need to ensure that their business associates have similar agreements in place with their subcontractors. "Require tangible proof that the business associate has met or plans to meet new requirements by Sept. 23 compliance date," he says. "Ensure your BAs are in a position to comply with use or disclosure limitations expressed in the contract and those in the Privacy Rule."
Walsh also recommends that business associates as well as covered entities establish "aggressive plans to become fully compliant by Sept. 23." He also suggests they evaluate cyber-insurance to protect themselves in the event of a breach. "For business associates, they assume the downstream liability of their subcontractors. Therefore, they should also have some type of indemnification clause in their contract," he says.
2: Adjust Policies and Procedures
Organizations will need to adjust a number of policies and procedures as a result of HIPAA Omnibus.
For instance, HIPAA Omnibus strengthens the limitations on the use and disclosure of PHI for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization.
So not only do patient privacy notices need to be updated to reflect those changes, but the fundraising and marketing staff of healthcare organizations also need to be educated and procedures in those departments modified where necessary.
Although they have until Sept. 23 to revise policies and procedures, covered entities "should prioritize what provisions they might want to put into effect March 26," says healthcare privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
For instance, they may want to consider first revising their policies related to provisions that could be less disruptive to implement, such as a provision that allows covered entities to release proof of patient immunizations to schools.
"Make sure all training gets done before policy changes are made, and especially before Sept. 23," he stresses.
3: Update Privacy Notices
But privacy and security consultant Kate Borten, founder of The Marblehead Group, warns that changing some policies, and not others, before Sept. 23 could open the door to having to revise notices of privacy practices, which are handed out to patients, more than once to reflect the new policies.
Searson of UAB Medical Center suggests that revisions to notices of privacy practices be completed soon. "There are a number of items that must be addressed or updated," she notes. Several updates - which also affect organizations' internal procedures - focus on the patients' rights: their right to receive notification if affected by a breach of unsecured PHI, their right to opt out of fundraising, and their right to restrict certain disclosures of PHI to health plans when they pay for services out of pocket, she says.
Once updated, the notice will need to be printed, posted, and made available to all patients, she notes.
4: Modify Breach Assessment Procedures
One of the most critical provisions of HIPAA Omnibus that organizations need to tackle is modifying their breach assessment and notification procedures.
The interim final breach notification rule, in effect before HIPAA Omnibus, contained a "harm standard," under which organizations were required to assess whether an incident was likely to result in financial, reputational or other harm to an individual, and thus, merited reporting.
But HIPAA Omnibus drops the harm standard and provides more objective guidance on breach notification that focuses on the probability that information was compromised. Organizations now must consider four factors in assessing breaches:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed; and
- The extent to which the risk to the PHI has been mitigated.
Borten points out that those same four factors were highlighted in the interim final breach notification rule's preamble and, thus, should have been considered all along by organizations in assessing breaches, even when the harm standard was in effect.
"If you've been using the four factors in the past, you were probably already doing a good job in accessing breaches," adds Greene, the attorney.
Johns Hopkins Health System already was assessing incidents with consideration of the four factors of breach notification that were part of the interim final rule, says Darren Lacey, CISO at Johns Hopkins University and its health system. As a result, "The [omnibus] rule doesn't change the process that we've been using to assess incidents," he says.
Nevertheless, Lacey predicts that for incidents that were "tough calls" under the harm standard, notifications will increase under HIPAA Omnibus.