By Greg Bengel, contributing writer
Providers must toughen security and privacy as compliance deadline for new HIPAA rules approaches
Last March, the final omnibus rule modifying HIPAA security, privacy and breach notification, and enforcement rules went into effect. Now, the September 23 deadline for covered entities to reach compliance is rapidly approaching.
For many providers, reaching compliance might be daunting. Health and Human Services (HHS) Office for Civil Rights (OCR) Director Leon Rodriguez called the changes imposed by the rule “the most sweeping changes to the HIPPA Privacy and Security Rules since they were first implemented,” in this HHS press release. Also quoted is HHS Secretary Kathleen Sebelius, who notes that the world has changed rapidly in the fifteen years following HIPAA’s original enactment. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age,” she says.
The new rules toughen security and privacy standards for healthcare providers and extends direct liability for security violations to business associates and subcontractors. Boris Segalis’s article for Information Law Group offers a meticulous rundown of the key changes. Health Data Management’s recent article is also helpful in understanding the new provisions.
According to a recent article in Becker’s Hospital Review, the Centers for Medicare and Medicaid Services (CMS) interprets the omnibus rule as a directive for providers to “conduct or review a security risk analysis,” “implementing security updates as necessary,” and correcting “identified deficiencies as part of [its] risk management process.”
Again, this may prove to be no easy task. The OCR recently audited 20 healthcare providers to evaluate compliance with HIPAA privacy and security rules, finding numerous deficiencies. Of those deficiencies, 65 percent were security related and 26 percent were privacy related. The Becker’s Hospital Review article quotes Rodriguez on the audits. “What we’re learning from the audits,” he says, “is there’s plenty of noncompliance out there and plenty of room for improvement.”
Specifically, according to the article, providers need to be better at inventorying their data, at continuously assessing their security risks, and at tightening their controls.
In order to prepare for the approaching deadline, HIPAA covered entities should be revising agreement forms with business associates and training employees on updated obligations. This article on smithlaw.com offers a bullet-point list of what healthcare providers can be doing to prepare for the new provisions.