HIPAA Omnibus rule amendments, passed back in 2009, take full force on September 23, 2013. HIPAA Security and Compliance is a complicated beast, I try to explain the basics that remain the core, then I will describe the changes that take effect in a few days.
- ePHI (Electronic Patient Health Information) is required to be protected from misuse no matter where the data is stored, or what the data is transmitted through.
- Covered Entities are required to conduct periodic (I like yearly) Risk Assessments, HIPAA Document Reviews and Employee Training.
- The Security Rules are made up of Required components and Addressable components.
- Required components are mandatory to implement
- Addressable components are items that either need to be implemented or need to have documentation stating why the component was not applicable or what was alternatively implemented.
- Minimum Necessary - This means that employees only have access to the minimum amount of data needed to perform their day-to-day duties.
- Documentation, logs and patient information must be kept for 6 years.
- Breaches of ePHI need to be disclosed.
What does the new Omnibus change?
- The Business Associate (BA's) responsibilities and liabilities are now increased. BA's are now required to be fully HIPAA compliant.
- Business Associate Agreements (BAA's) need to be signed with all BA's vendors that have access to ePHI. Not only do BA's need to be compliant their vendors/subcontractors do as well!
- BA's are now directly subject to liability for violations by a BA defined as an agent of a Health Care Provider (HCP)
- Violation of HIPAA now carry a maximum penalty of 1.5 million dollars and jail time for the worst offenses, the actual penalty will be assessed by Health Human Services (HHS) based on circumstances.
- BA's have been expanded in definition to any person or entity that performs services for a HCP that has access to ePHI. HHS estimates that this new rule will add about 500,000 new BA's.
- Breaches have better definition as to what constitutes them and how to perform the notification. Take a look at the official breach notification at the HHS website to get some sobering statistics on the amount of ePHI data loss going on now.
Summary: If you do business with any company that has Patient records, or if you are required to sign a BAA with one of your customers. You need to be HIPAA Compliant.
DeltaWare Data Solutions can assist you in determining your current status, what your gaps are, and assist in getting you fully compliant!
HIPAA Compliance is not a one time deal, there are portions of it that are required to be performed on a yearly basis.