September 23, 2013 has come and gone, and you are wondering if the Office of Civil Rights (OCR) is going to “spot check” your facility for a HIPAA compliance assessment, right? The HITECH Rule that was part of the American Reinvestment and Recovery Act (ARRA) presented a number of changes, in particular the requirement that Business Associates have policies and procedures in place as if they were a covered entity. In January, the HITTECH/OMNIBUS rule became law with a March 26th implementation date. The compliance enforcement date was September 23, 2013. So here we are one month later, and we are met with a slight reprieve, due to the recent government “shut down” in that the OCR will not resume spot checks and compliance audits until January 1, 2013. However, that does not mean that the law is not in full force for providers as well as the entire downstream of business associates.
Most of the provider world has been a bit ho-hum since HIPAA Notice of Privacy Practices (NPP) was implemented in 2003: 10 years ago. Most patients are ho-hum, and don’t generally want a copy of your NPP, so you may be thinking, why bother? You are likely never to have a problem with your NPP, however when there is an “issue”, there will likely be an “issue” if you don’t have updated privacy practices, and policies and procedures in place to direct employees on how to handle not only privacy but the patient rights and responsibilities.
While there are many things to do to get ready (if you haven’t already done so) for this new HIPAA era, there are couple of things that must be done sooner than later:
- Familiarize yourself with the Administrative Simplification Rule to get an understanding of the magnitude of the updated HIPAA requirements and the associated risks that are presented to your practice.
- Update your Notice of Privacy Practices that you already have in place, or alternatively select one of the Model Notice of Privacy Practices posted by the OCR.
- Ensure that your Business Associate Agreement (BAA) has been updated and reviewed by legal counsel to ensure protection of your practice when using Business Associates.
- Determine who is a Business Associate, issue them an updated BAA and require that they are in compliance with all the updated HITECH/OMNIBUS regulations (and yes, this includes your rehab consultants, billing company, and anyone handling protected health information (PHI).
- Conduct a security and privacy risk assessment, paying special attention to mobile devices and employee use of mobile devices.
Stay tuned – more will be posted on this topic, and more resources will be available to assist the small provider.
Note: Graphic from the OCR Model Notice of Privacy Practices.