HIPAA Compliance, Deadlines and Due Diligence

If you’re reading this blog, chances are you’re at least slightly aware of the new HIPAA Omnibus rule changes as of 2013. The deadline for compliance has come and gone (September 23rd , 2013, was the effective deadline), and if you are not adequately up to par and compliant with HIPAA’s new regulations, you may want to take some time to acquaint yourself and act accordingly.

Hipaa assessment

While the Omnibus itself contains a multitude of implementations and revisions (As seen in the 563-page long documentation), a very special regard has been placed on security. With a focus on patient record privacy and restriction, the mandated changes hold a heavy influence on data security and electronic health records (EHR).

 

Although HIPAA regulations have always placed a degree of priority on patient privacy, two major changes (summarized below) provide an incentive for many to pay special attention to adherence:

Enforcement and Penalties:

  • In the past, many entities were able to “fly under the radar” as a result of limited policing, and willful ignorance. This is no longer the case. HIPAA enforcement will now be two-fold with both the Department of Health/Human Services (HHS) and the Office for Civil Rights (OCR) vigilantly auditing those falling under HIPAA jurisdiction. In fact, first time penalties can add up to $50,000, a hefty price to pay for “negligence”.

Are you a Covered Entity (CE), or a Business Associate (BA)?:

Previous HIPAA changes usually affected only a select group of entities, often the core hub of healthcare administration. However, the 2013 changes have grown to cover basically any and all types of businesses that even “dip their toes” in the realm of healthcare.

  • First, we have a group called “Covered Entities” (CE’s). This group includes the types of entities you would expect to fall under HIPAA governance, essentially ranging from healthcare providers from a myriad of different practices, healthcare plan providers, and healthcare clearinghouses.
  • The next group is slightly more ambiguous, and may have you questioning whether or not your business should be concerned about HIPAA compliance. This group is known as business associates (BA’s), and is about as broad as its implied title. In layman’s terms, a BA applies “specifically to a person or organization that conducts business with the covered entity that involves the use or disclosure of individually identifiable health information”. Quite frankly, if you have done any type of work with a healthcare entity, ranging anywhere from legal to financial and beyond, you may very well be covered under this definition.
  • Even if you do not deal with CE’s, you may be defined as a business associate solely due to subcontracting with any BA in the healthcare industry under a “Business Associate Agreement”.

 

It is important to understand both the magnitude and urgency of these newly mandated changes to HIPAA. If there is any doubt in your mind as to whether or not your organization falls into either category of “Covered Entities” or “Business Associates”, it is best to do some research and remain knowledgeable and fine tune your business practices or compliance mandates accordingly.