Health Information Management

Tip: Take steps to comply with HIPAA Omnibus rule

HIM-HIPAA Insider, April 22, 2013

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Organizations have until September 23 to get into compliance with the new HIPAA Omnibus rule released in January. Each healthcare organization will need to determine where its priorities lie, depending on its current HIPAA compliance program.

Consider these three steps as part of your implementation plan:
  1. 1. Conduct a risk analysis. By conducting a risk analysis, you will determine what specific risks your organization faces. From there, you can create your own list of actions you need to take and set priorities. With a risk analysis, you will find out whether you are missing a particular policy or need to update a certain procedure.

    Make sure your risk analysis reflects vulnerabilities highlighted in recent HHS guidance, such as the threat to the security of PHI from mobile devices.  
  2. Amend your Notice of Privacy Practices. Some organizations may not have looked at this for years or delayed updating their notice until HHS published the final rule.

    Review your existing Notice of Privacy Practices and be sure you address the additional patients' rights included in the final rule. It's a good springboard to begin to address all the actions you must take. For instance, under the final rule a patient has the right to direct an organization to transmit his or her PHI electronically to a third party. That gives rise to a review of policies and procedures and draws others, such as your medical records and information technology leaders, into the process. That collaborative effort can build momentum as you implement all of the final rule changes.

    Once it's revised, make sure the new Notice of Privacy Practices is properly posted and distributed. You will need to provide it to new patients and make the revised notice available to existing patients.
  3. Review and update your privacy and security policies and procedures. Read the rule and perform a gap analysis to determine what policies and procedures you need to revisit in light of the changes. For instance, you may need to make changes based on new marketing restrictions and restrictions on disclosures of PHI.

    This is also a good opportunity to review and update your existing policies and take into account OCR guidance. The agency recently released guidance on de-identification and mobile devices.
For more steps to consider, read “Ten steps to help you comply with the HIPAA final rule” in Briefings on HIPAA.


Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular