New provisions are creating a new audience that must deal with the federal law.
With numerous regulations and deadlines related to the Health Information Technology for Economic and Clinical Health Act falling in February, the HealthLeaders Media News & Analysis team helped get hospitals and physicians ready for the changes.
One of the biggest deadlines dealt with business associates. For years, physicians have needed to have agreements with clients to help secure protected health information, but the revised HIPAA rules in HITECH included provisions that required BAs to comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule—just like the so-called covered entities. HITECH also expands civil and criminal penalties for BAs that violate the rules and requires the Office for Civil Rights compliance audits of BAs.
And while some were dubious about whether the feds would hit their deadlines (Feb. 17 was established as the day BAs had to comply with the security rule), in the weeks leading up to the deadline, our online news team offered tips to hospitals and doctors.
These tips still apply today. As of last month, OCR is enforcing the provisions of the interim final rule on breach notification, which identifies steps covered entities and BAs must take if they have a breach of unsecure PHI.
Here is some analysis based on reporting by Dom Nicastro.
Five Stumbling Blocks Hinder HIPAA Compliance
When Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR, conducts audits of healthcare organizations, he usually finds problems in five areas.
Many organizations are focusing on the new privacy and security requirements created by the HITECH Act. However, they also must measure their overall compliance with HIPAA requirements already on the books, says Apgar.
Facilities and organizations considering what to do next should concentrate on compliance matters in these five areas, says Apgar:
Lack of a risk analysis. Organizations either haven't conducted a risk analysis or they last conducted one in 2005 when the HIPAA rule became final, he says. A risk analysis is "the foundation for your security program," he says. "You need that to build on."
Undocumented policies and procedures. Organizations may be doing the right thing, but they haven't documented it in their policies and procedures, he says. Less frequently, organizations do not follow proper procedures and do not have anything in writing.
Lack of training. Organizations may train new staff members, but many don't provide ongoing training, or the training they offer is often out-of-date, he says.
Failure to conduct compliance audits. The security rule calls this an evaluation, but it's really a compliance audit, says Apgar. Organizations need to conduct an annual compliance audit and should also conduct periodic audits, including an information systems activity review. "It's not happening in organizations. They either have never done it or don't do it on a consistent basis," says Apgar.
Lack of disaster recovery planning and emergency mode operations. Organizations either don't have a plan or it is out-of-date. Or the plan may focus only on how the organization will get its computers back up and running during an emergency. But consider a hypothetical situation: There is a flu pandemic and most of your staff members are out sick. The computers are running, but you haven't addressed how to keep your business going while trying to recover from this type of emergency. So don't focus only on technology during disaster planning. You need a business continuity plan that addresses all aspects of coping with a disaster or emergency.
So where should you begin to ensure compliance with all current regulations?
Focus first on the risk analysis and compliance audit because they "will show you where the holes are" and where your specific organization is lacking, says Apgar.
Tips to Comply with HITECH Requirements With a February 17 deadline for all BAs to comply with the HIPAA security rule and parts of the privacy rule—or face stiff penalties—there was a lot of last-minute checking to ensure compliance. Here are some key elements that still apply today:
Know your BAs. Most important, double-check your list of BAs, says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Make sure that anyone who could qualify as a BA has been accurately identified as a BA. For example, your organization may not realize that a consultant that has access to PHI actually qualifies.
Make sure organizations you have identified as BAs actually are, says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA Boot Camp in Casa Grande, AZ.