As reported by Health and Human Services (HHS) HIPAA fines and audits are significantly on the rise. 5% of practices are being audited against the HITECH Act and Omnibus Rule. Are you compliant?
“How do all these regulations affect me as a Healthcare Covered Entity or Business Associate?”
To answer that question, let’s first look at what the regulations are and get a brief description. Once we read and understand what we are facing, the steps to complying with the rules should be attainable. I would love to say attaining compliance is easy, but with anything in life, if you want success you will have to work for it.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
The HITECH act specified that by the beginning of 2011, healthcare providers would be given monetary incentives for being able to demonstrate Meaningful Use (MU) of electronic health records (EHR). These monetary incentives, up to $44,000 per doctor, will be offered until 2016, after which time penalties will be levied for failing to demonstrate such use. www.compliancy-group.com/what-is-the-hitech-act/
FYI, the main failure that the centers for Medicare and Medicaid have discovered when auditing providers who have implemented an EHR system is their failure to perform a proper Risk Analysis.
The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long awaited HIPAA Omnibus Rule http://compliancy-group.com/hipaa-omnibus-rule
The Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register.
The rule effectively merges four separate rulemakings, which are as follows:
- Amendments to HIPAA Privacy and Security rules requirements;
- HIPAA and HIPAA HITECH under one rule now
- Further requirements for data breach notifications and penalty enforcements
- Approving the regulations in regards to the HITECH Act’s breach notification rule
It is apparent for this new rule that the health care industry will need to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining to privacy violations. Health Care providers should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.
In addition, the Omnibus Rule includes provisions that would govern the use of patient information in marketing; eliminates and modifies the “harm threshold” provision that presently allows healthcare providers to refrain from reporting data breaches that are deemed not harmful; ensures that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA for the first time since HIPAA was first introduced. The rule also requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.
So, what does compliance with these rules look like? Is it a 3-ring binder on a shelf with some policies, is it an online training course, or is it my IT person telling me I am protected? Actually, it is a little of all three.
- RISK ANALYSIS– A true risk analysis covering Administrative, (Policies and Procedures), Technical, (How are your Network, Computers, Routers, protected), Physical, What safeguards have you put into place at your location? (Alarms, Shredding, Screen Protectors).
- RISK MANAGEMENT- The risk analysis is going to identify deficiencies. Risk Management is then put in place to track how your remediation plan will work to fix the deficiencies that were found during the Risk Analysis.
- VENDOR MANAGEMENT– Vendor Management tracks the companies and people that access your site where PHI or ePHI is stored and keeps track of who you share PHI or ePHI with. Depending on the relationship, you will want to have either a Business Associate Agreement (if they meet the requirements for being labeled a Business Associate) or a Confidentiality Agreement. Remember, for Business Associates, an agreement alone is not enough; you also need assurances that they are complying with the HIPAA Security Rule before you share or continue to share PHI or ePHI with them.
- DOCUMENT MANAGEMENT– It is hard to imagine compliance without a place to store policies, procedures, business associate agreements, or any other compliance documents. Why you ask? Because the rule specifically states that you must retain all compliance documents for a min of 6 years (depending on the state your business is in these rules may be more stringent).
5. TRAINING OF YOUR STAFF– One of the most important aspects of compliance is the tracking of not only HIPAA 101 training for your staff, but also of your staff’s acknowledgement that they understand the HIPAA Privacy and Security Policies that you