The clock is ticking for compliance with the Sept. 23 deadline for the HIPAA Omnibus Rule, and healthcare providers with limited resources will find compliance preparation particularly challenging.
Providers are still struggling to figure out what they need to do. The problem that organizations run into is they typically don't have anyone on staff that has the expertise to help them understand what they need to do.
Organizations can start by setting up a to-do list of chores that need to be tackled, including updating their patient privacy notices, identifying vendors that need new or updated business associate agreements, revising procedures for assessing whether a breach must be reported, and updating their risk assessments to identify ways to prevent breaches. Smaller organizations must keep in mind that they have the same compliance responsibilities as much larger entities.
OCR has made this point clear in recent enforcement actions, in which it has slapped smaller organizations with penalties as a result of investigations following breaches. That includes a hospice that experienced a breach affecting fewer than 500 individuals.
"There are no excuses for noncompliance which now would be considered 'willful neglect' and put an organization into the highest category of enforcement," says independent healthcare security consultant Tom Walsh. Many smaller organizations will likely need to get some outside help, especially for more complex work such as risk assessments, he says. Risk assessments can be quite overwhelming.
HIPAA Omnibus spells out a more objective standard to determine whether breach notification is merited based on the probability that data was compromised. So staff will need to know about new procedures for reporting incidents.
Under HIPAA Omnibus, business associates, as well as their subcontractors, that create, receive, maintain or transmit protected health information on behalf of a covered entity are now directly liable for HIPAA compliance.
At Healthcare Compliance Pros we have the answers for you to meet your obligations under HIPAA Omnibus and eliminate the possibility of HIPAA-related fines. Let us help you with:
- Risk Assessment
- Notice of Privacy Practices
- Policies and Procedures
- Breach Notification
- Training your employees