An announcement from The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) scared and panicked healthcare professionals and their business associates.
OCR warned that it is about to start checking if covered entities (any health plan, healthcare clearinghouse, or healthcare provider that electronically transmits PHI) comply with the HIPAA standards throughout 2016. Many organizations are worried not only because of their uncertainty of passing the compliance audit but also because it is not quite clear exactly which aspects of their businesses will be tested and how this procedure would go.
Any organization transmitting electronic Protected Health Information (ePHI) should be HIPAA compliant. The main purpose here is protecting security and confidentiality of patients` data but it also helps the business avoid being amerced or even sued.
In order to understand what is required for the HIPPA standards to be met and what the consequences would be if they don`t, covered entities and their business associates (any person or group that generates, stores, receives, or transmits PHI on behalf of the covered entity) should carefully look through the recent changes.
Until now, the OCR was only investigating cases which occurred as a result of a complaint, a tip or a media report but now it intends to launch an audit program for proactive evaluation. Although the Health Information Technology for Economic and Clinical Health (HITECH) audit was effective for a few years now a recent report by the Office of Inspector General revealed that OCR has not been paying the HIPAA compliance the necessary attention. Now, the OCR decided to improve its examination techniques with a new phase of audit which was meant to start in 2014 but came across a few obstacles.
After the changes, a subject of such an audit will be any covered entity with less than 15 physicians and healthcare business associates. It is important to be noted that in some states these definitions are different and a business should be familiar with its state rules or seek legal consultation if necessary.
Even though the chances of an entity to be audited before being warned first are very slim, it should be constantly updating its HIPAA security and strategy. This will not only be in its favor if an unexpected audit is about to occur but it also helps with its reputation.
In 2013 the Department of Health and Human Services (HHS) published the HIPAA Omnibus Rule – a set of final regulations and modifications in regards of HIPAA. Although the rule has been on the table for a few years now, because of OCR`s lousy investigation efforts, some businesses have still managed to go around the rules and continue practicing without making any adjustments to comply with the standards. Covered entities should be constantly taking care of being up to date so they would not be at risk in case of an audit.
Furthermore, until now, covered entities were held responsible for any incompliances or violations but from now on these responsibilities will be equally shared with their associates. Also, all business associate agreements should be updated with the changes and must be signed before any services are used.
Moreover, the Omnibus rule brought many definition changes which all privacy policies should comply with. Any entity must adjust them in regards to the rights of patients to access the ePHI, deceased people and access request responses. Also, they have to take into account the restrictions concerning the distribution of ePHI and school immunizations, the use of ePHI for marketing, fundraising, and research efforts and the disclosure of information to Medicare and insurance providers.
When it comes to an organization`s information security, its employees can either be a liability or an asset. All employers are required to train their staff so they are familiar with all the changes which the Omnibus implied. The whole training procedure must be documented.