Last-Minute HIPAA Omnibus HeadachesPrivacy, Security Leaders Discuss Final Compliance Chores
In the final days before the Sept. 23 HIPAA Omnibus Rule enforcement date, healthcare organizations are busily wrapping up final compliance details.
For many organizations, including Sharp HealthCare, an integrated delivery system in California, the biggest compliance headache in recent weeks has been updating business associate agreements.
But other time-consuming tasks in the days leading up to the enforcement deadline, privacy and security professionals say, are updating notices of privacy practices and training staff about compliance with the new rule (see HIPAA Omnibus: The Deadline Dash).
"Reviewing all HIPAA-related vendors and then following up with them to get new BAA [business associate agreements] takes a lot of coordination and time," says Tom August, director of information security at Sharp. Under HIPAA Omnibus, business associates and their subcontractors are, for the first time, directly liable for HIPAA compliance, which means agreements need to be altered.
His advice to others also still dealing with BAA updates: "Don't assume that you have documented BAAs with all of your legacy HIPAA-related vendors, even if you have a longstanding relationship with them. Make sure you have documentation for all of them."
Tackling business associate agreements has also been the biggest compliance chore at University of Pittsburgh Medical Center, which has 20 hospitals, 400 physician offices and outpatient facilities, plus a health plan in Pennsylvania.
That chore won't end for UPMC and many other healthcare entities on Sept. 23, either. Here's why: Under HIPAA Omnibus, agreements tied to new BA relationships and contract renewals that were signed after the HIPAA Omnibus Rule was published in the Federal Register on Jan. 25 need to reflect Omnibus requirements by Sept 23. But for pre-existing BA contracts, covered entities have some extra time. Those have to be modified by Sept. 23, 2014.
"Since there is a transition period, I think that we will continue to spend significant time on our HIPAA business associate agreements," says John Houston, UPMC's vice president and privacy and information security officer. "We have also chosen to revamp our process, as our experience has shown us that there are better ways to manage BAAs."
While revisions to BAAs have been a mammoth chore for many organizations, "there was less resistance to the BAA changes than expected," says Christopher Paidhrin, security administration manager in the information security technology division at PeaceHealth, a healthcare delivery system in the Pacific Northwest. "Vendors and partners seem to understand that these requirements were coming. The tide had shifted and the current too strong for anyone to resist," he says.
"Documentation, on the other hand, takes more time than expected. ... The surprise is how much complexity there is for how many related relationships there are," Paidhrin says.
For some organization's long-term compliance planning has paid off.
"Had we not been proactive when [the] HITECH [Act] came out in 2009, the most challenging chore would have been to revise and reissue our business associate agreements," says Dena Boggan, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital in Jackson, Miss. "However, we revised those [contracts] in 2010, so we were not faced with that challenge."
While finishing up on BAAs, Sharp HealthCare is also tying up loose ends with notices of privacy practices, August says.
To lend a hand with that task, the Department of Health and Human Services this week issued three model Notices of Privacy Practices that reflect all consumer rights under HIPAA Omnibus.
The model notices are provided in three styles and are customizable by users, according to HHS. The three options from HHS for privacy notices are:
- A notice in the form of a booklet;
- A layered notice with a summary of the information on the first page and full content on the following pages; and
- A notice with the design elements of the booklet, but that is formatted for full-page presentation.
Final Policy Reviews
At St. Dominic Jackson Memorial Hospital, the trickiest HIPAA Omnibus compliance chore was "simply finding the time to review and suggest revisions for affected policies and procedures," Boggan says. That careful review is continuing right up to the enforcement date, she says. She and her team are now "just doing an overall review of what we had on our action implementation plan, to assure we didn't miss anything."
Other covered entities that created an implementation action plan when the Omnibus Rule was published in January "should be reviewing that plan to ensure they've successfully completed their implementation," she says. But those that failed to create an action plan early in the game, Boggan says, should "review the regulations again to ensure all areas of the organization are compliant, or will be by the implementation deadline."
Boggan says the easiest step toward compliance was training the staff. "Again, we'd been proactive when HITECH was passed, and Omnibus didn't change those provisions much," she notes.
But many other organizations, including PeaceHealth, are completing their training program. "Making the [compliance] changes a simple adjustment in the minds of the caregivers - that's the trick," Paidhrin says. "The core expectation [of HIPAA compliance] remains the same, but we need to tell the story as a clarification, an enhancement, not a transformation."
Houston of UPMC says the HIPAA Omnibus enforcement deadline is a good catalyst for refreshing and enhancing compliance training. "While HIPAA requires that we retrain our staff regarding the changes, this is an additional opportunity to educate staff even further," he says.
Rebecca Herold, partner at the Compliance Helper and CEO of The Privacy Professor, a consulting firm, reminds organizations that while training staff about the new requirements under Omnibus is important, organizations should also be prepared to keep the workforce on the alert after Sept. 23. "Provide awareness communications to your workers about what they need to remember to safeguard the information they work with on a daily basis," she suggests.
While workforce education can aid in preventing data breaches, another important aspect of HIPAA Omnibus compliance is being prepared to assess whether incidents are reportable breaches based on its changes in the HIPAA breach notification rule. Under HIPAA Omnibus, organizations need to consider four factors in assessing whether a breach is reportable:
- The nature and extent of the protected health information involved, including types of identifiers, and the likelihood of re-identification;
- The unauthorized party who used the PHI or to whom the disclosure was made;
- Whether PHI was actually acquired or viewed;
- The extent to which the risk to the PHI has been mitigated.
As part of its HIPAA Omnibus preparedness efforts, UPMC has re-evaluated and revamped its breach assessment procedures, Houston says.
"We completely redesigned our breach assessment process," he says. "What is really interesting is that in the process of doing so, we developed a really great tool for doing breach assessments." UPMC has been trying out the tool in advance of the Sept. 23 enforcement deadline.
As HIPAA Omnibus compliance efforts wrap up, one of the big lessons organizations should keep in mind for future projects is that "big things are hard to do," says Paidhrin of PeaceHealth.
"All change should be chunked into small but manageable tasks that align into a unified managed project," he says. "Roles and responsibilities, timelines and targets, all form an environment of expectation and accountability. [By taking those steps], progress is much easier to demonstrate and achieve."