What Healthcare professionals need to know to be HIPAA Omnibus Compliant by September, 2013

It’s the topic that every healthcare executive and professional has been discussing, and in some cases, dreading – the final regulations containing modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, better known as the HHS HIPAA Omnibus Rule.

Although there is actually very little in the Omnibus Rule that is entirely new, it could easily prove overwhelming for anyone not already familiar with the HITECH Act, and the HHS (Department of Health and Human Services) HIPAA Security and Privacy rules.

‘Covered entities’ (health plans, health care clearinghouses, and health care providers) as well as their business associates (health plan providers, e-prescribing gateways, even document storage or media destruction companies) must comply with the HIPAA Omnibus Rule, which consolidates an abundance of policy and procedural changes mandated by the HHS in the HIPAA Privacy Rule, HIPAA Security Rule, HIPAA Breach Notification Rule and HIPAA Enforcement Rule.

What is the HIPAA Omnibus Rule

Approved and released in January 2013, the HIPAA Omnibus Rule became effective on March 26 and must be met within 180 days of this date, setting a hard compliance deadline of September 23, 2013. These restructured rules modernize and enhance previous regulations and bring together all previous versions of HIPAA rules into one complete and mandatory package. Some of the new additions introduced in the release of the new Omnibus Rule include:

• Requirement that all business associates, including their subcontractors, are now directly liable for compliance with certain privacy and security rules requirements
• Modifications to the definition of “breach” and activities that must be performed to analyze the impact of such a breach
• Requirements for modifications to, and redistribution of, each covered entity's notice of privacy practices
• Stricter limits on the use and disclosure of protected health information for marketing and fundraising purposes, and a new prohibition disallowing the sale of protected health information without individual approval
• Modifications to individual authorization requirements in order to facilitate research and provide proof of child immunization to schools, as well as enabling access to descendent information by family members or others
• Enhancements to the enforcement rule, which addresses non-compliance with the HIPAA rules due to willful neglect, by incorporating increased and tiered civil monetary penalties structures that were originally implemented under the HITECH Act

HIPAA audits and violations

Aside from changes to the penalties, the new set of rules is now setting an expectation in the healthcare industry of regularly conducted HIPAA audits. The Office of Civil Rights (OCR) has determined that the next phase of HIPAA audits will commence in late 2013 and will monitor not only overall HIPAA compliance, but will also focus on adherence to the new HIPAA Omnibus Rules.

The bottom line is that all covered entities and business associates must ensure HIPAA compliance and perform due diligence to confirm security and privacy requirements are in order, or risk substantial fines ranging from $50,000 to $1.5 million per violation, depending on the severity and level of neglect related to non-compliance issues.

Becoming HIPAA compliant

Covered entities and business associates who haven’t already taken steps towards HIPAA compliance must make organizational changes now if they expect to meet HIPAA Omnibus compliance mandates by the September 2013 deadline. Given the complexity of many information infrastructures and the breadth of rules that organizations face can create a daunting task, often simply determining where to start is an uphill battle. Fortunately, while a HIPAA security officer or consultant is beneficial to ensure complete compliance, basic internal changes can start to be made today without the need for external resources.

To achieve and maintain an adequate HIPAA compliance program, the following steps should be at the top of any organization’s priority list. For those entities that have yet to begin the task of developing a HIPAA compliance program, this ‘general checklist’ can help get started tackling these requirements during the next few months before the HIPAA Omnibus Rule is enforced:

Electronic Protected Health Information (EPHI) inventory

EPHI refers to any protected health information (PHI) that is produced, saved, transferred or received electronically. To ensure HIPAA compliance, an organization must conduct an EPHI inventory to determine the breadth and specific details of all of the health information under the organizations control. Careful attention should be paid to all inputs and outputs within, out of and into the organizations technical boundaries. HIPAA regulations dictate how you must handle EPHI when storing and transferring it. Finding this data upfront, including knowing where it is or uncovering the unexpected places it may have drifted, makes implementation of the rules significantly easier and less expensive, allowing a single set of solutions to be applied rather than re-crafting them time and again when new EPHI instances and business practices are discovered.

Risk Analysis

As an integral and mandatory element of HIPAA compliance, a thorough risk analysis as mandated in section 164.408(a) of the HIPAA Security Rule is the catalyst for the selection and confirmation of adequate controls required in order to protect the confidentiality, integrity and availability of EPHI stored, transmitted or processed by a covered entity or business associate. According to the National Institute of Standards and Technology (NIST) Special Publication 800-30, a risk assessment or risk analysis is the process of identifying, estimating and prioritizing risks to organizational operations (or in the case of HIPAA, health information operations and managed EPHI). This also includes implementing risk management in the form of intentionally planned in place security controls.

Policies and Procedures

This applies to both covered entities and business associates, and is counted as one of the primary regulations required for HIPAA compliance. By establishing a set of effective and workable policies and procedures, you are creating a resource for your employees to make HIPAA laws (and corporate processes relating to HIPAA) more understandable and create meaningful local implementation of these rules and processes for them to follow. Compliance is significantly cheaper and easier when all employees make informed and appropriate daily choices.

Compliance Evaluation

The HIPAA Security Compliance Evaluation should not be confused with the Risk Analysis. These two different mandates are both required by every covered entity and business associate in order to meet HIPAA compliance. Compliance evaluations involve periodic technical and non-technical assessments, creating a baseline for future HIPAA compliance measurement.

Conclusion

For several years, full HIPAA compliance has been differed by many of those that are impacted, but now that it is equipped with hefty fines and in-depth audits, it’s really starting to get some teeth. Ignoring and avoiding this sleeping giant that will be impacting the industry in short order with millions in fines, as well as further investigations, could likely lead to the uncovering systematic shortcomings and result in massive settlements and costly rapid remediation. It is becoming increasingly urgent that healthcare professionals and organizations take up comprehensive security management programs to address the concerns that can result in a breach of ePHI. Business associates and covered entities alike need to ensure that they execute a satisfactory HIPAA compliance program in a timely manner.

About the Author

Brett Michalek (CISSP, CISM, PCI-QSA) brings over 20 years of practical experience in network security, risk management and telecommunications. Brett focuses on the healthcare industry and leads the HIPAA compliance consulting team at Integralis.

You can comment on this article or post an article by joining the RxEconsult community or signing in.

Please Share on Your Social Networks