On October 8 at the MGMA annual conference in San Diego, Calif., two MGMA Government Affairs members and an independent attorney gave attendees a summary and analysis of the latest changes to key federal privacy and security requirements, including breach notification, business associates and new patient rights, all part of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule published earlier this year.
Since the updated version of HIPAA went into effect on Sept. 23, providers have been busy prioritizing compliance activities, understanding the breach notification rule and patients’ rights, and following new requirements related to business associates (BAs).
But there still seems to be as many questions as there are answers. Robert Tennant, senior policy advisor, MGMA Government Affairs, Amy Nordeng, senior counsel, MGMA Government Affairs, and Susan Miller, an attorney from Concord, Mass., provided a comprehensive explanation of the regulations as well as practical solutions for incorporating these requirements into a practice.
The presenters outlined the following 12 steps to reach HIPAA compliance:
1. Begin with a thorough risk assessment
2. Review all current policies and procedures (gap analysis)
3. Identify all locations with protected health information (PHI)
4. Determine whether encryption is warranted and to what extent
5. Review your medical record retention and destruction policies to confirm that data is being destroyed properly
6. Create a cost-effective plan to mitigate top risks (i.e., physician laptops)
7. Ensure BA contracts are modified
8. Update policies and procedures
9. Train impacted staff
10. Take a cross-functional approach to compliance
11. This is a good opportunity to do a HIPAA house cleaning!
12. “HIPAA-tize” your staff
Tennant and Miller propose some more basic “best practices” organizations can deploy to better protect themselves.
- Recognize that as patient data is being moved electronically, it becomes vulnerable.
- Know that patients are getting more sophisticated about their own data, and frankly, more concerned about who is getting access to it.
- Always be thinking how you can best protect your data.
- Be very cautious, especially in regards to mobile technology. That’s where the real risk is.
- Shred your hard drive on copiers and fax machines.
- Encrypt your e-mail, or don’t put PHI in an e-mail.
- Instead, load patient’s lab results, appointment notices, and prescription refills to the portal.
- For social media, your office needs a policy for when you will include ePHI (electronic PHI) in social media and when you will not permit it.
- Make sure back doors of offices aren’t kept open and position computer screens so they can’t be seen.
- Have a sign-in sheet not only for patient, but for vendors.
Healthcare Informatics has even more coverage of the HIPAA Omnibus Rule, as seen below: