When the final omnibus rule (Omnibus Rule) was unveiled at the start of 2013, Leon Rodriguez, HHS Office for Civil Rights Director, said, “This marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”
Now that the September 23, 2013 compliance deadline has passed, covered entity health care providers must ask, “Is our practice meeting all the requirements?”
Is your practice compliant with HIPAA Omnibus regulations?
Most small physician practices aren’t meeting the requirement, which puts you at financial, legal and reputational risk.
In fact, the 2012 pilot program of Office for Civil Rights (OCR) audits revealed only 2 outof 61 healthcare providers had no negative findings. Audit results indicate risk analysis was ranked in the top five findings for audited covered entities.
Too many covered entities are failing to perform or update the HIPAA risk analysis as required by the Security Rule. And most aren’t conducting a gap analysis of the HIPAA safeguards and implementation specifications.
Knowing this, here are five issues that healthcare organizations of all sizes need to address. Ask yourself these critical questions…
1. Have you conducted a risk analysis for your practice?
Without doing this documented annual due diligence, you’re at risk for negligence – and some potentially hefty fees. Ignoring your HITECH/HIPAA responsibilities can be catastrophic because the highest penalties apply in cases of “willful neglect.” Once gaps are identified, you must establish an action plan for remediation activities to address the highest risks.
2. Have you updated your Business Associate Agreements?
Under the new law, you are liable for breaches that occur when business partners are working with your data (such as coders, claims processing vendors, etc.). You need legal agreements that clarify the scope of Business Associate obligations, breach notification procedures and timeframes.
3. Have you fully trained your staff to comply with the latest regulations?
Human error, usually in the form of misdirected files (especially claims that are faxed or emailed to the wrong person), accounts for a large majority of data breaches. And training doesn’t work if it is a one-time occurrence – you have to train staff continuously. Omnibus has changed the definition of breach and the standard for determining if an incident is a reportable breach. Your staff needs to be retrained on this new definition and approach.
4. What do you do if a computer or mobile device containing patient health information is lost or stolen?
You’re at risk for how you notify the government and patients about breaches when they do occur and can be penalized for not having a process in place. Your incident response process must be revised for a tougher breach reporting standard.
5. Are patient data files encrypted?
Roughly 50% of small practice data breaches occur on devices where patient health information is not encrypted, giving the wrong people access to private data. Big or small, encryption is the de facto standard that may save you from having to report a breach.
No practice can afford to think they’ll fall under the radar on HIPAA compliance. Breach investigations are on the rise—and so are the penalties.
Get help identifying your HIPAA compliance gaps, and learn how Stericycle can make your life easier with our comprehensive HIPAA Compliance Program.