Editor's note: This is the third of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule was Wednesday, February 17.
HITECH compliance for business associates (BAs) has come and gone. The date for BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule was February 17. Further, breach notification enforcement begins February 22.
So where does your organization stand? Are you ready? Your BAs?
We can give you a pretty good idea after seeing the results of HCPro's HIPAA and HITECH survey that was rolled out the past two weeks. It attracted nearly 600 respondents, including mostly HIPAA compliance officers and HIM directors.
For starters, if your organization has done something with its HIPAA compliance program in light of the HITECH, you're in the majority: 89% said they've responded.
And exactly what have they done?:
- Rewrite policies and procedures: 74%
- Revise or draft new business associate agreements: 71%
- Conduct additional training: 65%
- Conduct an internal audit to evaluate your organization's program: 36%
- Purchase resources to educate yourself on changes to the law: 28%
- Hire a consultant to evaluate your organization's HIPAA compliance program: 6%
One respondent said they created a breach notification action response team, which seems to be a good idea when you consider the interim final rule on breach notification took effect last summer.
Those regulations require:
- Notice to patients alerting them to breaches "without unreasonable delay," but no later than 60 days after discovery of the breach
- Notice to covered entities (CEs) by BAs when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE's response
- Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
"Breach notification" earned the No. 1 spot to our survey's question, "Which provision of the American Recovery and Reinvestment Act of 2009 do you feel is the most challenging?"
It took top honors at 39%, and only 29% said there were completely ready to comply with those requirements; 61% said there were "almost ready" to comply. Amending business associate contracts took No. 2 in terms of the most challenging aspects of ARRA/HITECH at 18%. Finishing third with 16% was "Patients rights to accounting on EHRs," which some told us earlier will be a logistical "nightmare."
BA requirements under HITECH have changed drastically. Most survey respondents said they feel their BAs are ready, but the scary part is 45% said they are not confident in their BAs' readiness.
Thinking about updating your training? An overwhelming majority (71%) of respondents said they update their training only annually. And only 31% said they are "very comfortable" that the training is effective. Most (63%) said they are "fairly comfortable."
So what's the parting message here, now that HITECH has essentially arrived?
Kate Borten, CISSP, CISM, president of The Marblehead Group, offers these quick tips:
- Convert more organization leaders to become privacy and security believers
- Stay focused and do not become overwhelmed by privacy/security responsibilities or discouraged by setbacks
- Develop a 2010 work plan that is both achievable and a stretch for you and your organization
John Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and one of the members of the team that created the HIPAA Security Rule, says he hopes HITECH is the wakeup call that providers and enforcers need regarding HIPAA compliance.
"Having worked both with CEs and BAs over the years in attempting to foster HIPAA compliance, I am continually amazed at the lack of understanding and completeness in their HIPAA compliance," Parmigiani says.
Covered entities have been "emboldened by a long-standing environment of lax enforcement" and a belief that HIPAA compliance is a one-time project. It is not, he says, and perhaps government enforcement will be a harbinger for better compliance.
Through HITECH, OCR should easily be able to gain some "street cred" by quickly launching an audit initiative and "thereby sending a signal that compliance with HIPAA security and privacy is an important component of healthcare," he says.
Other pieces in this series:
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.