The September 23rd deadline for compliance with the new HIPAA Omnibus Rule is almost upon us, and even if your organization has fulfilled the listed requirements, there still may be work to do on company culture, policies and training. Without follow-through, a compliance program is only an exercise in box-checking. Rules don’t hold water if there isn’t a culture of compliance to back them.
Make Someone Responsible
To ensure HIPAA compliance efforts don’t go to waste, it’s important to designate a HIPAA officer, who understands the HIPAA requirements and has the power to enforce them.
“This should be an individual within the company well-versed in the requirements of HIPAA, and this person shall be in charge of devising, documenting, and implementing the policies and procedures required to comply with these requirements,” says Thomas Meena, Esq, Director of Insurance Billing Lead at Morningside Recovery. “This officer should also be available to respond to any concerns, complaints, or violations from company staff members with regards to the improper disclosure of PHI.”
FREE Investigation Report Template
Prepare thorough, consistent investigation reports with our free report template.Download Template
Each company is different and employees at different levels may require customized access and restrictions, depending on their exposure to private health information.
“Companies should look at their entire practice to determine what information is kept, who collects it, how it is stored, who has access to it, how it is used, and whether any types of information is particularly sensitive,” says Meena.
Employees should be exposed only to information they need to perform their jobs.
“Entities who are required to protect PHI must carefully consider which of their employees should be permitted to access any PHI, the scope of the access that will be permitted, and how they will grant and monitor such access,” says Dayna Nicholson of Pepper Hamilton. “With regard to electronic PHI, such as that stored in an electronic health record, systems should be designed to limit user access appropriately.”
Nicholson recommends companies consider some established best practices for designing systems that control user access.
“Each user must have a unique ID and password, and the data that may be viewed should be based upon the individual’s job functions. Prior to granting access to any electronic PHI, each new user should be trained on the entity’s HIPAA-compliant privacy policies,” she says. “When an individual’s employment ends, that person’s access to the system should also be terminated immediately.”
A company should also schedule regular audits and reports that show actual access, in order to determine whether any employees have accessed PHI inappropriately, says Nicholson.
Locking down private health information can involve taking a variety of measures, depending on the type of information, how it is stored and who needs access to it.
“Because one third of medical data breaches – especially those involving 500 or more patient records – are instigated by the loss or theft of digital media (laptops, external hard drives, USB flash disks, backup tapes, desktop computers, etc.), the use of encryption has been pointed out as being paramount, says Tim Maliyil, Founder and CEO of data security company AlertBoot. “There’s currently a significant push to ensure that computer devices are properly encrypted, including statements by the Office of Civil Rights at HHS, the high HIPAA breach penalties, and the Breach Notification Notice that is found under the HITECH amendment to HIPAA. There could be other federal and state laws that also come into effect when it comes to medical data breaches,” says Maliyil.
Data Breach Requirements
Under the new rules, HIPAA covered entities and their business associates must report all data breaches. “The reporting requirements vary depending on the number of people affected, but the widely known requirement is based on whether 500 or more patients are affected,” says Maliyil.
When there is a data breach, defenses are scarce and the stakes are high. “Not knowing that you had a data breach is not a legitimate defense – especially if experts determine that a medical entity should have known about it,” says Maliyil. And with data breaches penalties of up to $1.5 million (and more if other fines are assessed) it makes sense to put the resources into compliance to protect your company from the risk of an expensive mistake.