Editor's note: This is the first of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule is Wednesday, February 17.
As a HIPAA covered entity, you should watch HITECH closely.
But HITECH compliance is really about HIPAA privacy and security rule compliance.
So as your organization works to comply with breach notification regulations and sets up a "harm threshold" risk analysis team, per HITECH, it should also go back to HIPAA security 101.
"HITECH did include significant changes, but the bottom line is and especially security officers need to do is make sure they actually comply with the HIPAA Security Rule," says Chris Apgar, CISSP, president, Apgar & Associates, LLC, in Portland, OR.
Business associates (BAs) are concerned that by February 17, they must comply with the HIPAA Security Rule and the use and disclosure provisions of the privacy rule. In reality, Apgar says BAs should have been compliant since 2003 for privacy and 2005 for security, by contract.
"Yes, the new requirements [especially breach notification] need to be addressed, but the bottom line is many covered entities and business associates have consistently failed to comply with the HIPAA Security Rule," Apgar says. "I find this over and over when conducting compliance audits."
And it's not as if HIPAA Security Rule compliance is all technical. The most significant risk, and the largest section of the security rule itself, is administrative safeguards.
"You can have the best technical security infrastructure in the industry, but that will not adequately protect against breaches and carelessness," Apgar says. "This is another reason why training and policies and procedures are so important."
Apgar says the security rule requires covered entities and BAs to ask these questions:
- Have I conducted a risk analysis lately, and did I properly document it, mitigate damages and document where risks were acceptable?
- Is my privacy/security training current? Do I train new workforce members who will have access to personal health information (PHI)? Do I regularly conduct refresher training for all staff? Do I send out security reminders?
- Are my policies and procedures complete, current and enforceable? Have I trained workforce members on the policies and procedures they are required to adhere to?
- Have I implemented a comprehensive audit program (the security rule requires three periodic audits and an "evaluation" or compliance audit)? When did I last conduct an "evaluation"? Did I address audit findings, and did I properly document it?
- Do I have current, up-to-date, and communicated disaster recovery and emergency mode operations plans and have they been tested recently?
- Do I follow CMS' remote access guidelines (not necessarily part of the rule, but CMS' earlier indicated remote access management would be included as an audit criteria)?
- What am I encrypting (e.g., data in transit, data at rest, etc.), and how am I protecting non-electronic PHI (breach notification and the privacy rule's "mini-security rule" requiring administrative, physical, and technical safeguard implementation for non-electronic PHI)?
OCR will be auditing facilities to check for HIPAA compliance, though it says it does not know when.
It will audit entities of all sizes from the sole practitioner to the multi-state healthcare corporation. And it's good to remember, Apgar says, that if any complaint is filed with OCR alleging willful neglect or suspected willful neglect, OCR is mandated by statute to investigate.
Above all, go back to the drawing board and make sure you're HIPAA compliant.
"It's difficult to comply with HITECH if you haven't complied with HIPAA in the first place," Apgar says.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.