In today’s world of HIPAA regulations, not developing a plan for Privacy compliance is risky business for Healthcare providers. Multiple government agencies are actively enforcing these laws, and the penalty for non-compliance can be costly. With so much focus on HIPAA Security, the HIPAA Privacy Rule can sometimes go unheeded. Yet the government is just as serious about enforcing Privacy regulations, and enforcement is clearly within the scope of Office for Civil Rights HIPAA audits.
When HIPAA law was updated in 2013 through the Final Omnibus Rule, Privacy and Breach regulations were intensified. Breach notification requirements were expanded with the intent of disclosing breaches that may have previously gone unreported by placing the burden of proof of “no harm done” on the covered entities. Furthermore, the protection of PHI was changed from indefinite to 50 years after death, and harsher penalties were implemented for violation of PHI privacy requirements for not only healthcare providers, but also for their business associates.
Unfortunately, keeping up with complex regulations intended to safeguard patient information is a time-intensive and often ambiguous process. The HIPAA Security Rule alone includes over 60 components. When those Security requirements are combined with the numerous and sometimes complex Privacy regulations, many Healthcare organizations inadvertently put Privacy compliance on the backburner, thereby setting themselves up for serious fines and penalties. While vigorous security and privacy practices ultimately protect patients, patients aren’t the only ones who expect high standards. Multiple government agencies are tracking HIPAA Privacy compliance, and auditing daily practices. The HHS Office for Civil Rights, State Attorneys General, the U.S. Department of Justice, CMS and OIG all have jurisdiction.
HIPAA Privacy compliance calls for covered entities using or disclosing PHI to provide a Notice of Privacy Practices to patients, create and enforce internal privacy policies and procedures, implement employee training on those procedures, and maintain various logs, forms, and reports to provide proof they are “ensuring compliance” as “ensure” appears multiple times in the regulations. Additionally, they must designate an individual to oversee privacy compliance and respond to privacy-related complaints as well as establish and ensure privacy requirements with contracted business associates.
HIPAA Breach requirements can be just as daunting, and perhaps just as overshadowed by the Security Rule. Best practice for HIPAA Breach compliance includes continuous assessment, detection and mitigation of the disclosure of protected health information. Notification is required if protected health information is disclosed in a manner “not permitted under the Privacy Rule”. All such occurrences are presumed to be a breach by default, and the burden of proof is on the covered entity to prove a low likelihood of protected health information having been compromised.
When it comes to penalties, compliance with the Privacy Rule can prevent what might otherwise be devastating fines, suits, and costly public relations headaches. Ensure your organization has the appropriate administrative, technical, and physical safeguards in place to protect the privacy of health information. When implemented correctly, proper and applicable policies and procedures, documentation, logs, reports and audits become important defenses. By ensuring compliance, you can head off civil liabilities and lawsuits, onerous government corrective action, and maintain your organization’s integrity and reputation. So be sure that HIPAA Privacy is an active component of your overall HIPAA compliance regimen!
With March 1st close at hand, remember that a covered entity must notify the Secretary of HHS of any significant breaches that affected less than 500 individuals within 60 days of the end of the calendar year in which the breach was discovered.
BlueOrange Compliance has been providing privacy and security assessments, remediation and guidance since the inception of HITECH, and has over 50 years of experience in technology security, compliance and healthcare. Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, LPCs, CCRCs, homecare, hospice and business associates. If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.