Skip to content Skip to navigation

LIVE from MGMA13: An Action Plan for HIPAA Omnibus Compliance

October 8, 2013
by Rajiv Leventhal
| Reprints
Presenters provide practical solutions for incorporating federal privacy and security requirements into practice

On October 8 at the MGMA annual conference in San Diego, Calif., two MGMA Government Affairs members and an independent attorney gave attendees a summary and analysis of the latest changes to key federal privacy and security requirements, including breach notification, business associates and new patient rights, all part of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule published earlier this year.

Since the updated version of HIPAA went into effect on Sept. 23, providers have been busy prioritizing compliance activities, understanding the breach notification rule and patients’ rights, and following new requirements related to business associates (BAs).

But there still seems to be as many questions as there are answers. Robert Tennant, senior policy advisor, MGMA Government Affairs, Amy Nordeng, senior counsel, MGMA Government Affairs, and Susan Miller, an attorney from Concord, Mass., provided a comprehensive explanation of the regulations as well as practical solutions for incorporating these requirements into a practice. 

The presenters outlined the following 12 steps to reach HIPAA compliance:

1. Begin with a thorough risk assessment

2. Review all current policies and procedures (gap analysis)

3. Identify all locations with protected health information (PHI)

4. Determine whether encryption is warranted and to what extent

5. Review your medical record retention and destruction policies to confirm that data is being destroyed properly

6. Create a cost-effective plan to mitigate top risks (i.e., physician laptops)

7. Ensure BA contracts are modified

8. Update policies and procedures

9. Train impacted staff

10. Take a cross-functional approach to compliance

11. This is a good opportunity to do a HIPAA house cleaning!

12. “HIPAA-tize” your staff

Tennant and Miller propose some more basic “best practices” organizations can deploy to better protect themselves.

  • Recognize that as patient data is being moved electronically, it becomes vulnerable.
  • Know that patients are getting more sophisticated about their own data, and frankly, more concerned about who is getting access to it.
  • Always be thinking how you can best protect your data.
  • Be very cautious, especially in regards to mobile technology. That’s where the real risk is.
  • Shred your hard drive on copiers and fax machines.
  • Encrypt your e-mail, or don’t put PHI in an e-mail.
  • Instead, load patient’s lab results, appointment notices, and prescription refills to the portal.
  •  For social media, your office needs a policy for when you will include ePHI (electronic PHI) in social media and when you will not permit it.
  • Make sure back doors of offices aren’t kept open and position computer screens so they can’t be seen.
  • Have a sign-in sheet not only for patient, but for vendors.

Healthcare Informatics has even more coverage of the HIPAA Omnibus Rule, as seen below:

The Guidance Begins to Roll Out

As HIPAA Omnibus Compliance Ticks Closer – What Should Providers Know?

In HIPAA “Possession” is 10/10ths of The Law

Looking at the HIPAA Final Omnibus Rule: An Attorney's Perspective

HIPAA Omnibus: Strategies for Compliance (Podcast)

One Big Issue the HIPAA Omnibus Rule Doesn’t Address