image courtesy of datapipe.com
A HIPAA compliance checklist combined with a thorough risk analysis will help you assess your organization’s compliance with Omnibus Rule changes.
Use this HIPAA compliance checklist to help determine which changes will affect your business so you can decide where to focus your risk analysis assessments, training, and other compliance activities.
In addition, please visit out HIPAA – HITECH Resources page for links to more information.
The term “business associate” (BA) has been expanded to include the following:
- Any subcontractor, or a subcontractor under a subcontractor – essentially, no matter how far downstream from the original entity, each is individually liable for compliance
- Any entity providing data transmission services including health information organizations and e-prescribing gateways
- Data and document storage companies
- The deadline for all Business Associates to be in compliance with the new provisions contained in the final Omnibus rule is September 23, 2013
- If a contract was entered into prior to January 25, 2013 and remains unchanged and not renewed, it can stand until September 23, 2014
- All new, renewed, or amended contracts after January 25, 2013 must be compliant with current laws
- BAs must also enter into BA agreements with all of their subcontractors that create, receive, maintain, or transmit PHI
Security Rule Changes
- BAs are now required to meet all requirements of the Security Rule including risk analysis, implementation of security procedures, training, and having a breach response plan in place
- Breach response plans should include steps to immediately correct the problem, and the four-part risk assessment provided in the new HIPAA requirements should be noted
- BAs must report to the original covered entity if there is a breach of security and are responsible for compliance
- BAs can be subject to significant fines for noncompliance and breaches
Privacy Rule Obligations
- Disclosure of PHI must be limited to only those permitted or required
- PHI must be kept in a designated record set
- An accounting of disclosures must be available
- Maintaining compliance records and cooperating with all compliance investigations performed by the Office for Civil Rights (OCR)
A number of Privacy Rule changes were made that may or may not apply to a particular BA, depending on where their services fall on the information spectrum. These changes include:
- Restrictions on disclosure of information when a patient pays out-of-pocket for a service
- Increased restrictions on how PHI may be used for marketing and fundraising purposes
- The sale of PHI is now strictly prohibited unless individual authorization is received
- Release of immunization records to schools that are required to collect such information
- Patient’s rights to receive electronic copies of their health records have been expanded
- Genetic Information Nondiscrimination Act (GINA) will prohibit health plans from using genetic information for underwriting purposes
- Expanded access to deceased individual’s information to family members or others
- If any of these Privacy Rule changes apply, ensure that policies are compliant and that employees are trained properly
Enforcement and Penalties
In general, the penalties have increased significantly, and the Office of Civil Rights will be stepping up its enforcement activity with audits being performed proactively rather than solely complaint-driven.
Obtaining a HIPAA Compliance Review
To get a quote for a HIPAA Compliance Review, please fill out the below contact form and we will contact you to discuss the details of this process.
Comments or questions are welcome.