For providers without in-house expertise to train employees about securit and patient privacy, training materials are available for sale, she adds.
Providers must do all this while at the same time expanding authorized access and exchanging protected health information with patients and other providers.
"The more we're pushing for transparency and interchange of records and patients being able to have a lot of access to their own records online, the more you have to think about security and privacy," McNutt says. "We want to give patients portals, but how can we make sure that we've made it secure enough that someone can't hack in and get that patient's records? This raises the bar on the need for security."
As with all corporate security, that can be a tricky balance. Easy-to-remember passwords may be less secure than more difficult-to-remember ones, for instance.
Two more factors arriving at the same time as the new HIPAA omnibus rule are the provider movement toward storing PHI in the cloud and the bring-your-own-device phenomenon among healthcare employees.
"You need to have cloud storage vendors to agree to a business associate agreement to store company data," McNutt says. "One thing that's keeping a lot of CIOs up at night is the explosion of mobile devices and people's desire to do cloud sharing."
Some cloud providers are refusing to enter into business associate agreements with healthcare providers and, therefore, should not be considered for storing the provider's PHI-based data, McNutt says.
As providers enter into health information exchange agreements, they also can expect to spend considerable time discussing and crafting documents assuring that the appropriate risk assessments and HIPAA compliance steps are being taken in connection with PHI flowing to and from those HIEs, McNutt says.
"It took us over a year to go through contracts in regard to data sharing with the HIE," McNutt says. "Business associate agreements are important to legally protect an organization should a breach occur within the HIE. However, a breach by a provider's business associate could reflect back on the provider, causing reputational harm."