The new HIPAA/HITECH law has been in force for over two years. However, most healthcare providers have yet to start addressing the new requirements. It’s a daunting task for a risk assessment expert, professional project manager or even a CCO, CIO or COO, much less a practice manager. There are various reasons for the delay: confusion, misinformation, cost and time.
One of the most common sources of misinformation we’ve encountered in our clients is a belief that they are already in compliance! If you have not updated your HIPAA practices with the new requirements spelled out in the 2009 ARRA/HITECH Act and 2013 Omnibus Rule, you are not in compliance! A Privacy Notice, privacy training for staff, and vague reassurance from your IT service provider are no longer enough. The new requirements place high importance on information security as well.
Another reason, providers know there are new requirements, but maybe only a few of them out of 10 major ones. Many seam to know just about the risk assessment and training. They perform a self-assessment to meet the requirement, but miss the benefits of a third party risk assessment and using the risk assessment to actually improve PHI privacy and security, plus improve business operations.
Some may think the risks don’t justify the cost. But, with fines ranging up to $50,000 per patient record and a 70+% chance of a breach, that may be a devastating gamble to wager. Breaches are almost daily now and healthcare has become the target of cyber criminals over the last year. It really is a necessity to secure your PHI physically and digitally.
Let’s look at what is actually required under the latest laws to be compliant. The new requirements include
- Annual, unbiased Risk Assessment, over 550 questions to answer, score and then re-mediate.
- Customized policies and procedures that address how your business operates, 25+ documents, with a complete security plan.
- Specialized HIPAA training based on your policies and procedures for responsible parties; security officer, etc.
- Enforcement of policies and procedures.
- Business Associate agreement that requires BAs to be HIPAA compliant.
- Breach protocols and breach notification policy.
- Registers to log changes, 10+ spreadsheets to track your changes.
- Customized contingency plan, this alone is a major undertaking for any organization.
- Secure email with encryption and recipient verification if you email ePHI
- A complete inventory of all ALL networked devices.
- Continuous Network Vulnerability and Compliance monitoring
It’s important for healthcare providers to understand that each requirement they implement helps them become more compliant, it also reduces the likelihood of audit fines and non-compliant levels of fines. The following chart shows how implementing each requirement reduces these potential fines.
Tier4 is defined by the government as “willful neglect” and Tier 1 as doing what is “appropriate and reasonable” based on size of organization. The key to compliance, is to start. Take our quick-check, http://cyberquickcheck.com, to see how your organization scores on being HIPAA compliant.