Since the publication over 20 months ago of the HIPAA Final Omnibus Rule, there has been no shortage of recommendations and advice to health care providers from trade organizations, industry consultants, attorneys and the Office of Civil Rights of the U.S. Department of Health & Human Services (“OCR”) about the steps providers should take in order to achieve HIPAA compliance. Last week marked a final deadline for Omnibus Rule compliance—September 23, 2014, was the date by which covered entities were required to update their agreements with business associates to include certain provisions required under the Rule.
Despite the volume of available guidance, health care providers may not appreciate that the process they went through over the past year should be repeated on a regular basis. In particular, covered entities are required to review and modify their HIPAA security measures “as needed to continue provision of reasonable and appropriate protection of electronic protected health information [ePHI].” 45 CFR 164.306(e). In other words, providers who create, store or transmit ePHI should conduct another HIPAA Security Risk Assessment when they make changes to their information systems, or when they are apprised of new potential external threats to existing systems. The failure of providers to reassess their HIPAA security measures following changes in IT infrastructure and applications was a recurring deficiency discovered during OCR’s Pilot HIPAA Audit program, and will be a focus of the new round of audits OCR is beginning this fall. Providers can minimize the possibility of having an outdated Security Risk Assessment by simply planning to conduct one on a regular basis, perhaps annually or biannually depending on the size of the covered entity’s operations.
Another aspect of HIPAA compliance that providers should repeat on a regular basis is training regarding the requirements of the HIPAA Privacy and Security Rules. While HIPAA regulations do not expressly require training to be conducted at prescribed intervals, another focus of the OCR’s audits this fall will be whether covered entities have provided training on the HIPAA standards that are necessary or appropriate for a workforce member to perform his/her job duties. As with any type of training, in order for HIPAA training to be effective in facilitating employees’ understanding of the regulatory requirements in the context of their job duties, it should be conducted with some regularity, and at least on an annual basis. Employees who handle medical records requests should receive more in depth training about the patient rights’ provisions of the HIPAA Privacy Rule.
If you are a provider who has invested time and effort over the past year reinvigorating your HIPAA compliance program, preserve the value of your investment by conducting risk assessments and training on an ongoing basis.