Healthcare privacy and security leaders are beginning to assess the work their organizations will need to do to comply with the recently published HIPAA Omnibus Rule.
For starters, healthcare organizations need to prepare to modify their Business Associate Agreements and Notice of Privacy Practices. They're also evaluating how to change the way they assess whether breaches need to be reported in light of new guidance in the rule.
But as an important first step, you need to tackle the challenging task of mapping out responsibility for carrying out compliance work.
Assign Responsibility
PeaceHealth, a delivery system with facilities in Washington, Oregon, and Alaska, is designating "owners" for various compliance tasks, says Christopher Paidhrin, who'll soon take on the job of information services and technology administration manager.
"I mapped out both the privacy and security protocols from the HHS website and tagged each with an 'owner,'" Paidhrin explains. The owner is an executive or manager in charge of overseeing the project. Plus, an individual or team was designated with responsibility for executing each project, and a list of those who should be consulted or informed was prepared. Paidhrin then ranked projects based on deadlines and priorities.
A link to this responsibility and project matrix was added to PeaceHealth's project documentation repository. "Our thinking is that projects have milestones and timelines that can be managed and reported on," he says. Weekly progress reports help maintain project momentum, he adds. "The trending information provides us with a risk and compliance heat map for executives."
PeaceHealth also is reviewing and consolidating its policies, procedures, and processes. "We have very clear policies, but they need to be tweaked for the final rule," Paidhrin says. "Our procedures are defined, but we need to make our documentation more complete. We're always looking for efficiencies in our processes."
Set Priorities
The University of Pittsburgh Medical Center is also going through an assessment process. Privacy officers at each of its 20 hospitals are sizing up the compliance work that needs to be done at their facilities and the training their staff will need, says John Houston, vice president, and privacy and information security officer.
Staff training also will be an important priority at St. Dominic Jackson Memorial Hospital, a 571-facility in Jackson, Miss. "I anticipate we'll be revising guidelines to ensure compliance with these regulations and taking a look at our training to see where we need to improve," says Dena Boggan, St. Dominic's HIPAA privacy and security officer.
At UAB Medical Center in Birmingham, Ala., initial compliance work will focus on identifying all documentation and processes where changes need to be made, says Shelia Searson, UAB medical center privacy officer.
"We will need to review almost everything 'HIPAA' our privacy notice, policies, procedures, forms, and documents. The changes contained in the omnibus final rule touch almost every HIPAA-related issue for our institution," she says.
Business Associate Agreements
Many organizations will be rewriting business associate agreements because the omnibus rule clarifies that these vendors with access to patient data must comply with HIPAA.
The Good News
The good news for Health Care Compliance Pros' clients is that we are prepared to help you with all the tasks you need to accomplish to achieve compliance with the new HIPAA Omnibus Rule:
- Business Associate Agreements
- Notice of Privacy Practices
- Policies and Procedures
- Forms; and
- Much more
We will be sending out information to you on your updated policies and procedures and provide the updated forms as well in the very near future.
Let us help you. We have helped thousands of practices already.