The Department of Health & Human Services announcement of the Health Insurance Portability and Accountability Act (HIPAA) omnibus final rule is the largest series of changes to the HIPAA privacy and security rules ever. In effect on September 24, 2013, the new law places responsibility on third-party subcontractors that utilize and divulge protected health information (PHI). The rule improves patient confidentiality, offers patients new claims to their own personal health information, reinforces the government's ability to impose the rule, and calls for revisions to business associate agreements.
Comprehensive Regulation Review
With the focus on increased enforcement, hospital leaders should instruct their privacy and security officers, or someone in a similar role, to conduct a comprehensive review of policies and procedures for comprehensiveness and compliance within the new ruling. A work group should be brought together quickly in these beginning stages of compliance planning as well as throughout the entire compliance review process.
Consequences for Noncompliance
Within the new rule comes new monetary penalties for noncompliance. A hospital can be charged anywhere from $100 for simply not being aware of some new standard to as much as $1.5 million for failing to take corrective action to remedy a violation. The factors that determine whether your facility is in compliance or not have also considerably changed. Consequences will be extensively based on the impact of the violation, including:
- Who was affected? What is the total number of people affected?
- When did the breach happen? Over what time period did the breach occur?
- What is the nature and degree of damage as a result of the breach?
- Did the breach cause physical injury?
- Did the violation result in financial loss?
- Did the violation damage a person's reputation?
- Did the violation impede someone's ability to acquire healthcare?
Although enforcement does not take effect until September, hospital leaders should be familiar with the changes, as resolving discrepancies related to them will go well beyond a checklist approachReviewing current compliance policies and procedures is only the first step as this offers a good opportunity to implement and sustain new controls that fit your hospital environment as well as successfully integrated into daily work activities.
Consider these action steps for compliance:
- Encourage more training and communication among staff members about the importance of compliance as well as all upcoming new requirements
- Update the hospital's breach response strategy
- Improve Patient Health Information safeguards and protection
- Assign responsibility to a person/team to review current procedures and new HIPAA requirements
- Determine a method to oversee and monitor compliance and threats. Establish measurements and indicators to quickly identify areas of concern
Key Facets of Compliance
1. Access and Agreements
The HIPAA Security Rule insists that hospitals have contracts and agreements in place to make sure that those handling the frontline information, those with PHI network access on the job, and those with remote and laptop PHI information access will properly safeguard the PHI.
2. Administrative Safety Measures
These safeguards protect the confidentiality, privacy, and security of patients' PHI.
- Classifying applicable information systems
- Performing a risk assessment
- Implementing a risk management program
- Procuring IT systems and services
- Adopting relevant policies and processes
- Implementing a policy for use and authorization
3. Physical Safety Measures
Physical measures refer to the security of actual hardware and facilities that store protected health information. This includes:
- Facility access controls - Physical restrictions to the area where healthcare IT is stored, while at the same time permitting authorized personnel to gain access
- Workstation use - Terms and conditions for proper use of workstations and their physical environment to access information
- Workstation security - Limitations on personnel access to workstations
- Device and media controls -Hardware and electronic media enclosing PHI in and out of the hospital, including elimination, reuse of media, liability, and data backup and storage
4. Technical Safety Measures
These security measures are internally built into the hospital's IT network to safeguard PHI and regulate its access. They restrict access to unauthorized personnel and code and encrypt electronic information when transmitted. Technical safeguards include:
- Access control - Controlling access to individuals or software programs via unique user ID protocols, automatic logoff, access procedures for emergencies, and coding processes
- Audit controls - Documenting PHI activity in your hospital system
- Integrity - Employing mechanisms to validate PHI to protect information from being modified or deleted
- Person or entity authentication - Verifying an individual's identity to access PHI
- Transmission security - Protecting PHI from illegal access when transferred through an electronic communications system.
For more information, read the full article on Executive Insight.