Think your healthcare organization or health plan has healthcare privacy covered? Think again.
A series of supplemental guidance issued by the Department of Health and Human Services Office of Civil Rights (OCR) in recent weeks is giving healthcare providers, health plans, healthcare clearinghouses (covered entities) and their business associates even more to do. They must review and update their policies, practices and training for handling protected health information. This is beyond bringing their policies and practices into line with OCR’s restatement and update to the Omnibus Final Rule that OCR published Jan. 25, 2013.
Covered entities generally had to be in compliance by Sept. 23, 2013, but many covered entities and business associates have yet to complete the policy, process and training updates required to comply with the modifications implemented in the Omnibus Final Rule.
Even if a covered entity or business associate completed the updates, however, recent supplemental guidance published by OCR means that most organizations now have even more work to do on HIPAA compliance. This includes the following supplemental guidance concerning its interpretation and enforcement of HIPAA against covered entities and business associates published by OCR since Jan. 1, 2014 alone:
Beyond this 2014 guidance, covered entities and their business associates also should look at enforcement actions and data as well as other guidance OCR issued during 2013 after publishing the Omnibus Final Rule, such as:
With OCR stepping up both audits and enforcement and penalties for violations, covered entities and business associates should act quickly to review and update their policies, practices and training to implement any adjustments needed to maintain compliance and manage other risks under these ever-evolving HIPAA standards.
When conducting these efforts, covered entities and business associates should not only carefully watch for and react promptly to new OCR guidance and enforcement actions but should document their commitment and continuing compliance and risk-management activities, while taking well-documented, reasonable steps to encourage business associates to do the same. This documentation could help demonstrate that an organization maintains the necessary “culture of compliance” commitment needed to mitigate risks in the event of a breach or other HIPAA violation.
When carrying out these activities, most covered entities and business associates also will want to take steps to monitor potential responsibilities and exposures under other federal and state laws, such as: the privacy and data security requirements that often apply to personal financial information; trade secrets or other sensitive data; and judicial precedent.