Privacy and security officers got their marching orders when HHS released the long-awaited new HIPAA “Omnibus Rule” in January.
To comply with the final rule, healthcare organizations need to get working on a number of activities. The rule is enforceable 180 days from its publication in the Federal Register January 25, giving organizations until September 23 to get into compliance.
Each healthcare organization will need to determine where its priorities lie, depending on its current HIPAA compliance program.
“There’s work here for probably everyone,” says Phyllis A. Patrick, MBA, FACHE, CHC, president of Phyllis A. Patrick & Associates, LLC, in Purchase, N.Y. “But this is not all new if you have a compliance program. Take it in steps. I think it is all doable.”
So where can you get started with the 563-page final rule? HIPAA consultants and attorneys advised taking the following steps:
1. Conduct a risk analysis. You’ve heard it many times before, but a risk analysis is a good starting place, says Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC, in Portland, Ore. By conducting a risk analysis, you will determine what specific risks your organization faces. From there, you can create your own list of actions you need to take and set priorities. With a risk analysis, you will find out whether you are missing a particular policy or need to update a certain procedure.
Make sure your risk analysis reflects vulnerabilities highlighted in recent HHS guidance, such as the threat to the security of PHI from mobile devices, says Adam H. Greene, JD, MPH, a partner in Davis Wright Tremaine, LLP’s Washington, D.C., office. “HHS has made clear the risk assessment is a high priority,” he says.