The HIPAA enforcement deadline is here, and healthcare entities have been busy finishing up compliance tasks. Over the past few weeks, many healthcare organizations were seen tackling one of the biggest compliance headaches- Updating business associate agreements-which is necessitated by the HIPAA Omnibus rule where business associates and their subcontractors are, for the first time, directly liable for compliance under HIPAA. But, that’s not the only one. There have been other time-consuming tasks such as updating notices of privacy practices and training employees.
Sharp HealthCare, an integrated delivery system in California also underwent this deadline dash. The Director of Information Security at Sharp, Tom August, said that reviewing all HIPAA-related vendors and following up with them on the new Business Associate Agreements took a lot of coordination and time. His advice to healthcare entities is not to assume that business associate agreements have been documented with all legacy HIPAA-related vendors. Even if the relationship with them is an age-old one, documenting these agreements is crucial.
This has also been the biggest compliance chore at University of Pittsburg Medical Center, where this task is likely to continue for some more time, as the existing Business Associate agreements need to be revised. According to John Houston, Vice President and Privacy and Information Security Officer, the entity will continue to spend significant time on the HIPAA Business Associate agreements since it has chosen to revamp its process to adopt better means of managing business associate agreements.
Although revising business associate agreements has been a mammoth task for healthcare entities, this task was least resisted, and it was seen that vendors and partners understood that these requirements were coming. However, for entities such as Peace Health, a healthcare delivery system in the Pacific Northwest, documentation of these agreements took much more time than expected.
Dena Boggan, HIPAA privacy and security officer at St. Dominic Jackson Memorial Hospital is of the opinion that long-term compliance paid-off in their case. According to her, if the entity had not taken a proactive approach to compliance, revising and reissuing business associate agreements would have been a highly challenging task.
Entities are also having to tie-up loose ends with notices of privacy practices. And to facilitate this, the Department of Health and Human Services issued three model Notices of Privacy Practices that reflect all consumer rights under HIPAA Omnibus. These model notices are in three styles and can be customized by users.
For most entities however, one of the trickiest compliance tasks was to find the time to review and suggest revisions for affected policies and procedures. Some entities created an implementation plan as soon the Omnibus rule was published in January and are reviewing this plan to ensure all tasks have been successfully completed. But those entities that did not plan early are having a tough time ensuring all areas of the organization are compliant with the Omnibus rule.
Training staff about the new compliance requirements is also seen as an important step. Some entities view this as an opportunity to further educate their staff on the need for privacy, security, and compliance. In addition to this, with changes in the breach notification rule, some healthcare entities are re-visiting and revamping their breach assessment procedures and policies to make sure they are able to effectively assess and identify incidents if any.
HIPAA Omnibus compliance is a highly demanding task, and requires entities to take small manageable steps where roles, responsibilities, targets, and timelines are clearly defined. A sure-shot way to achieve compliance is to proactively prepare in advance with the right policies and security frameworks. And this is what Aegify Security Posture Management and Aegify SecureGRC can provide- A built-in framework with compliance best practices that can come a long way not only in safeguarding the privacy and security of information , but also in seamlessly achieving regulatory compliance.