Preparing for HIPAA Omnibus
By John F. Meisenhelder, Partner, KMK
Regulations, including the Health Insurance Portability and Accountability Act (HIPAA), have a substantial impact on healthcare records management strategies. Enacted in 1996, HIPAA sets the standard for protecting sensitive patient data from costly breaches. Due to strict regulations designed to help protect patients and the entire healthcare industry, keeping up with HIPAA can be overwhelming for many medical practices. This is even more prevalent with the recent HIPAA Omnibus Rule passed on January 17, 2013 and set to go into law on March 26, 2013.
Not following HIPAA regulations can pose significant financial risk. From 2010 to 2011, the number of data breaches affecting healthcare organizations rose 32 percent, according to research by the Ponemon Institute. The Office for Civil Rights at the U.S. Department of Health and Human Service (HHS) began receiving and publicly reporting breach incidents in September 2009. Since then, there have been 499 major breaches of medical records affecting 500 or more individuals, including 80 breaches reported this year.
It is imperative that all individuals throughout the organization understand the role they have in protecting patient information and how that relates to the overall document management program. By highlighting common mistakes and educating staff on best practices for handling patient healthcare information (PHI), organizations can stay compliant and in turn protect themselves and their customers.
Want to speak to one of our representatives about the new HIPAA Omnibus rule? Follow the link here to request more information!
HIPAA Omnibus Rule Presents Sweeping ChangesMajor changes include the following:
- Definition of business associate and business associate agreement requirements. Under the revised definition of “business associate,” certain subcontractors of business associates are treated as direct business associates with the same compliance obligations and liability exposure. Also, the final rule modifies the content requirements of business associate agreements. As a result, covered entities and business associates will need to revise existing business associate agreements. Health and Human Services (HHS) has posted a sample version of a revised business associate agreement on its website. Nevertheless, covered entities and business associates will likely want to incorporate additional protections in their agreements.
- HIPAA enforcement rules. The Omnibus Rule incorporates the changes to the HIPAA enforcement rules under the Health Information Technology for Economic and Clinical Health (HITECH) Act. Under those rules, there are multiple categories of violations and a tiered penalty structure with increasing penalty amounts tied to levels of culpability. There is a maximum penalty of $1.5 million for all violations of an identical provision within a given year. Covered entities and business associates can expect to see increased enforcement.
- Breach notification rules. The Omnibus Rule eliminates the “substantial risk of harm” standard under the breach notification rules. As a result, any impermissible use or disclosure is presumed to be a breach requiring notification, unless the covered entity or business associates (as applicable) demonstrates that there is a low probability that PHI has been compromised through a risk assessment. As modified, the breach notification rules require consideration of at least four objective factors when conducting these risk assessments. Breach notification policies and procedures will need to be revised in response to these changes.
- Genetic Information Nondiscrimination Act (GINA) modifications. The Omnibus Rule generally prohibits health plan covered entities from using or disclosing genetic information for underwriting purposes. As a result, health plan covered entities subject to this prohibition will need to revise their Notice of Privacy Practices accordingly.
Best Practices for Reducing Risk
The 2011 Ponemon survey shows that 69 percent of organizations say that they have little or no confidence in business associates’ ability to secure patient data. While keeping up with the changing HIPAA regulations can be a daunting challenge, healthcare organizations can put a few simple guidelines in place to reduce the threat of a data breach and maintain compliance. These include:
- Train personnel. Training in HIPAA is mandatory for any employee with access to patient data. It is important that all employees are trained on proper procedures for maintaining HIPAA compliance as well as the penalties for violations. With constantly changing regulations, consider teaming up with a provider of comprehensive online employee training. Certain providers such as Cintas provide training that is engaging, effective and easy to use and track. Outsourcing your training will eliminate the guesswork of making sure all your employees are compliant.
- Encrypt sensitive information. When transmitting PHI, make sure it is encrypted in accordance with HIPAA standards and transmitted over a secure connection. Encryption is also important for data stored on desktop computers and it is critical for laptops, tablets, smart phones and other mobile devices. If storage servers are compromised or a laptop is lost, the unauthorized access or loss will not be considered a reportable breach as long as the laptop is encrypted according to HHS requirements.
- Protect your paper. Many data breaches occur when documents are left lying around the office or are lost in transit. To reduce the likelihood of a data breach and limit the potential costs and/or lost revenue, medical records need to be treated as more than waste. Paper records containing PHI should never be discarded in the regular recycling or stored at a self-storage facility, but destroyed in accordance with HHS standards and stored at a secure location.
- Don’t forget about mobile devices. Your organization’s mobile device policy should clearly explain where devices can be transported and what to do if a device is lost or stolen. If your organization maintains a Bring Your Own Device (BYOD) policy, it should manage and control the data that is synched between your server and the device. That way, in case a device is compromised you can immediately delete all sensitive data remotely. You should also make sure they are protected with secure passwords that are regularly changed.
- Team up with an expert. One of the most common ways for an organization to lower its risk of a data breach is to team up with a document management provider. Partnering with an expert that provides shredding, storage and imaging services ensures that PHI is protected throughout its life cycle, whether it is stored, moved or destroyed. The level of technology, expertise and training that the professional partner provides serves as a best practices approach to handling PHI.
By establishing a set of best practices for everyone within your organization to follow, you’ll clarify how patient information must be handled and help ensure that your document management practices comply with regulations. Contacting a secure, third-party vendor can help you be certain that you understand the issues of compliance and how to maintain it.