The Department of Health and Human Services (HHS) issued modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules on Jan. 18. According to Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
The final rules had been anticipated for some time by the industry and because few sanctions were imposed as well as the low value of monetary fines levied, HIPAA regulations have historically not been viewed by the industry as high risk. These new updates, combined with the proactive HIPAA audits initiated by OCR last year that are increasing this year, create significant additional risk for healthcare organizations – both providers and payers. These risks now extend to the Business Associates (BAs) that service the providers and payers. The risks are significantly higher for all the organizations that have access to protected health information (PHI), with penalties now going as high as $1.5 million per violation, depending on the level of negligence. For the million covered entities and millions of their BAs that touch PHI, it’s time to act on these final rules to get compliance processes up to date as soon as possible.
Given the potential impact, all covered entities must prepare to demonstrate evidence of compliance and maintain an “audit-ready” state. Some suggested actions for healthcare organizations include:
- Review all privacy and security policies and procedures to ensure they are up-to-date and reflect actual practice;
- Perform self-assessments to detect issues of non-compliance with the requirements and initiate corrective actions where necessary;
- Implement a training and awareness program for employees and BAs. The program should include verification of effectiveness to reduce risks of a privacy breaches and address the expectations of auditors;
- Conduct knowledge assessments to demonstrate that employees have received appropriate HIPAA training;
- Review the current methods used for investigating reported HIPAA violations;
- Review business partner relationships to understand where PHI is used outside of the organization and ensure that appropriate Business Associate Agreements (BAAs) are in place;
- Conduct assessments of BAs to proactively identify potential risks and prevent privacy breaches that may occur outside the organization. It is important to note that studies have shown that most breaches occur as the result of the deficiencies of third party business partners;
- Review auditing and monitoring practices to ensure that the organization is proactively looking for areas of non-compliance.
Management of privacy breaches and streamlined reporting is also critical to maintaining compliance and ensuring each incident is managed properly. Steps to ensure that this process is completed properly include logging and tracking unauthorized disclosures, managing investigations of suspected breaches, tracking and logging the status of notifications to affected parties and producing the necessary information for HHS reporting. It’s also important to remember that even though a breach may have been caused by a BA, the risk related to the breach will still fall on the healthcare organization, so proper management of third parties is critical.
Today, many healthcare providers, health plans and their BAs continue to manually manage multiple, independent processes including the revision, distribution and acknowledgement of policies and procedures. They are also attempting to manually manage the risks of third parties, remediate gaps in compliance, assess and test overall risks related to breaches and required notifications, as well as preparing for proactive audits. Without the automation of these tasks on a common platform, staff members must expend enormous effort to address all the requirements, remediate compliance gaps and document evidence of compliance status and breach management readiness. Lack of automation can also result in an increased risk of privacy breaches, sanctions and fines.
In order to eliminate these manual, time-consuming tasks, healthcare organizations should seek to streamline compliance efforts, reduce overhead costs and ensure desired outcomes by adopting integrated solutions that specifically support audit preparation. By having access to up-to-date HIPAA privacy and security rules with background analysis and best practice recommendations, along with risk assessment questionnaires and facilitation of corrective actions, an organization can ensure that it is always audit-ready.
The new HIPAA updates, combined with the proactive OCR audits, create significant additional risk for all healthcare organizations and many of their BAs. By embracing automation and integrated solutions and processes, these organizations can make sure they are on top of their compliance processes and when an OCR audit comes their way, they will be fully prepared and increase the likelihood that the audit will result in their favor.
John Brooke, general manager of healthcare, SAI Global Compliance, works with healthcare provider customers and prospects throughout the United States. Brooke is directly responsible for healthcare sales operations and interacts daily with Compliance 360 executives, marketing, business development, professional services and product management to ensure a constant focus on the success of the company’s healthcare provider customers. He has also spent more than 25 years in healthcare including responsibilities in finance at for-profit healthcare leader American Medical International, Inc.