HIPAA Omnibus: Tips for Small ProvidersExperts Offer Compliance Insights
The clock is ticking for HIPAA Omnibus Rule compliance, with the Sept. 23 deadline looming. And smaller healthcare providers with limited resources will find compliance preparation particularly challenging.
"Small providers are still struggling to figure out what they need to do," says security specialist Rebecca Herold, partner at Compliance Helper and CEO at The Privacy Professor, a consulting firm. The problem these organizations run into is "they typically don't have anyone on staff that has the expertise to help them understand what they need to do," she says.
But smaller organizations can start by setting up a to-do list of chores that need to be tackled, including updating their patient privacy notices, identifying vendors that need new or updated business associate agreements, revising procedures for assessing whether a breach must be reported and updating their risk assessments to identify ways to prevent breaches.
Experts advise small hospitals, clinics and others to take advantage of free or low-cost reference material from non-profit organizations as well as government agencies, including the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA. The reference material includes, for example, sample business associates agreements and risk assessment guidance.
"A lot of organizations think all security solutions are expensive, but a lot of security tools are free," says Harry Rhodes, director of health information management solutions at the American Health Information Management Association.
Many trade associations, including AHIMA, offer free educational events and other resources to members. Plus, non-profit groups such as the HIPAA Collaborative of Wisconsin, or HIPAACow.org, offer HIPAA compliance tips as well as links to other resources.
Much At Stake
Smaller organizations must keep in mind that they have the same compliance responsibilities as much larger entities.
OCR has made this point clear in recent enforcement actions, in which it has slapped smaller organizations with penalties as a result of investigations following breaches. That includes a hospice that experienced a breach affecting fewer than 500 individuals (see: Hospice Gets $50,000 HIPAA Penalty).
"There are no excuses for noncompliance - which now would be considered 'willful neglect' and put an organization into the highest category of enforcement," says independent healthcare security consultant Tom Walsh. Many smaller organizations will likely need to get some outside help, especially for more complex work such as risk assessments, he says.
But Walsh also notes that smaller organizations can handle many compliance tasks on their own.
"For really small organizations, policies could be simply addressed through the employee handbook or manual with a chapter on 'information security,'" including an update to reflect any changes related to HIPAA Omnibus, he says.
For instance, some policy changes might be handled by cutting and pasting into an organization's written policy the language straight from HIPAA Omnibus Rule. That could include language about the rule's new breach notification standard.
HIPAA Omnibus spells out a more objective standard to determine whether breach notification is merited based on the probability that data was compromised. So staff will need to know about new procedures for reporting incidents.
Many smaller organizations also should be able to handle rewriting of notices of privacy practices on their own, Walsh suggests. For example, the notices must be altered to reflect HIPAA Omnibus provisions regarding restrictions on the use of patient information for marketing or fundraising purposes.
"Lawyers tend to make the notice unreadable, and it is supposed to be written in an easy-to-understand format," Walsh says. "Make sure you tell patients what you do with their information and why, and what the patient needs to do if they object to the standard practices followed by the organization."
Business Associate Agreements
Under HIPAA Omnibus, business associates that create, receive, maintain or transmit protected health information on behalf of a covered entity are now directly liable for HIPAA compliance.
So, business associate agreements need to be modified to reflect that change. However, resources are available online to help covered entities make changes to business associate agreements. Those include:
- A sample business associate agreement on the OCR website;
- Another sample business associate agreement from the North Carolina Healthcare Information and Communications Alliance, which is available free to members and for $50 for non-members.
While these samples can help guide organizations, Walsh suggests considering a legal review as well.
Risk Assessment Resource
Although the HIPAA Omnibus Rule doesn't make any other major changes in the HIPAA Security Rule, Walsh notes that many smaller organizations are far behind in compliance. For example, many lack an up-to-date risk assessment. "The original deadline for compliance was April 2005 - eight years ago," he notes.
Dave Newell, director at CTG Health Solutions' Security Solutions Practice suggests that the OCR's HIPAA audit protocol, which was used in last year's compliance audits, can be a useful starting point for risk assessments.
Although OCR plans to update the protocol to reflect HIPAA Omnibus changes, "there's no better way to evolve your HIPAA compliance than checking out that tool," he says.
Walsh suggests organizations that find themselves strapped for funding for privacy and security issues consider reinvesting HITECH Act meaningful use incentive funds into the effort.
"If the organization gets audited or has a breach, they may lose all of that [incentive] money - plus be fined and held liable for damages," Walsh notes. "The ramifications for noncompliance are much greater today because of the revised enforcement piece of the HIPAA Omnibus Rule."