In a March 19 webinar hosted by McGuireWoods, Holly Carnell, JD, and Amanda L. Enyeart, JD, associates, and Kimberly J. Kannensohn, JD, partner, McGuireWoods, discussed the Omnibus Final Rule that implements and interprets the provisions of the Health Information Technology for Economic and Clinical Health Act. The speakers also gave suggestions regarding steps to ensure a healthcare organization remains compliant with The Health Insurance Portability and Accountability Act of 1996 in the wake of the final rule.
HHS published the Omnibus Final Rule on Jan. 25, 2013. It is effective on March 26. Covered entities, business associates and their subcontractors must achieve compliance by Sep. 23.
Ms. Enyeart began by reviewing key revisions to HIPAA under the final rule, such as expansion of the definition of the term "business associate" to include entities that maintain and store protected health information even if they do not view it.
"The revisions to the Act do not mean a healthcare organization will need to overhaul its policies and procedures, but certain changes will have to be made," said Ms. Carnell.
HIPAA enforcement activities have also been on a rise. Ms. Carnell and Ms. Enyeart gave several examples of organizations that experienced HIPAA violations and had to settle with the HHS. Given that the penalties for violating HIPAA have increased under the final rule, this is a situation that organizations want to avoid.
Ms. Carnell, Ms. Kannensohn and Ms. Enyeart suggested the following 10 steps for achieving HIPAA compliance in the wake of the final rule.
1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs, said Ms. Carnell.
2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies, said Ms. Kannensohn.
3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk, said Ms. Kannensohn.
4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," said Ms. Enyeart. HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, according to Ms. Enyeart, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email.
5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it, said Ms. Enyeart.
6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures, said Ms. Carnell.
7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients. Ms. Carnell said that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule.
8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates, said Ms. Enyeart.
9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities, said Ms. Carnell.
10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.
These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but Ms. Carnell said that organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.
HHS Delays Enforcement of HIPAA Transaction Rules Until April
47% of Healthcare Leaders Face Challenges in Meeting HIPAA Requirements
HHS published the Omnibus Final Rule on Jan. 25, 2013. It is effective on March 26. Covered entities, business associates and their subcontractors must achieve compliance by Sep. 23.
Ms. Enyeart began by reviewing key revisions to HIPAA under the final rule, such as expansion of the definition of the term "business associate" to include entities that maintain and store protected health information even if they do not view it.
"The revisions to the Act do not mean a healthcare organization will need to overhaul its policies and procedures, but certain changes will have to be made," said Ms. Carnell.
HIPAA enforcement activities have also been on a rise. Ms. Carnell and Ms. Enyeart gave several examples of organizations that experienced HIPAA violations and had to settle with the HHS. Given that the penalties for violating HIPAA have increased under the final rule, this is a situation that organizations want to avoid.
Ms. Carnell, Ms. Kannensohn and Ms. Enyeart suggested the following 10 steps for achieving HIPAA compliance in the wake of the final rule.
1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs, said Ms. Carnell.
2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies, said Ms. Kannensohn.
3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk, said Ms. Kannensohn.
4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," said Ms. Enyeart. HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, according to Ms. Enyeart, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email.
5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it, said Ms. Enyeart.
6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures, said Ms. Carnell.
7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients. Ms. Carnell said that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule.
8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates, said Ms. Enyeart.
9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities, said Ms. Carnell.
10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.
These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but Ms. Carnell said that organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.
More Articles on HIPAA:
How Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?HHS Delays Enforcement of HIPAA Transaction Rules Until April
47% of Healthcare Leaders Face Challenges in Meeting HIPAA Requirements