- One month from today, as most healthcare organizations already (should) know, they will need to be compliant with the much-talked about HIPAA omnibus rule. Whether it’s a healthcare organization vetting the details of a “HIPAA compliant” product or establishing a concrete security training regimen for its staff, healthcare organizations have had a lot on their plate come Sept. 23, 2013.
Of course, the majority of organizations looking to be compliant have already done the necessary work. But others may be headed right down to the wire as the HIPAA compliance data nears. HealthITSecurity.com has spoken with a handful of legal and compliance experts regarding the HIPAA omnibus rule since the spring and there are a few trends they consistently see organizations still dealing with.
Check out HealthITSecurity.com’s HIPAA omnibus rule resources for covered entities
Updating business associate agreements (BAAs)
Dianne Bourque, partner at Mintz Levin, explained her perspective in seeing the volume of HIPAA BAA paperwork organizations are and have been handling.
Mostly what I’m seeing right now is updating forms, policies and procedures. That’s the obvious fix that says “Hey, we read the rules and know what we need to do.” Frankly, they need to review and update them on a regular basis anyway. There are a lot of entities that enter new business associate agreements (BAAs) with some frequency and they’d need to have a current form by September, so the sooner they start using an updated form the better. And the forms themselves reflect a changing view of our covered entity clients’ landscape as a result of the new rule.
We’re seeing covered entities take a more aggressive role when negotiating with BAs in terms of control. For example, we’re seeing more covered entities asking for HIPAA policies and procedures from a BA to ensure they’re compliant and a reliable repository for protected health information (PHI). A covered entity will have to answer, in one way or another, for its business associate’s failure to protect PHI.
60 days to report
Lisa Sotto, head of Hunton & Williams’ global privacy and data security practice, talked about the fact that each individual breach is unique and reporting times should vary based on size and difficulty.
The other shift here is with the timing piece. We know you have to notify HHS within 60 days, but in the preamble, HHS says that 60 days is the outer limit and that in some cases, 60 days would be an unreasonable delay. This to me is particularly troublesome because, having handled more than 900 data breaches, many data breaches simply aren’t ripe for reporting in 60 days. It’s sometimes very difficult to understand the scope of a breach and then, once you’ve understood the scope, you can then pull together your list of names of people whom you need to send notification. And getting the contact information together is no easy feat.
Need for more guidance
Drinker Biddle partner Jennifer Breuer argued that there needs to be additional support from the government for organizations that may not be as up to speed in HIPAA requirements or may not have the resources to be compliant.
“We need a lot more clear guidance that’s specific to health information exchanges (HIEs) and sharing data in open-architecture systems,” Breuer said. “[Many organizations] are flying by the seat of their pants in a way and making it up as they go along. You can’t really help it, though because they haven’t heard what they need to do.”