Last couple of days I have received more calls and queries regarding the Sep 24, 2013 deadline. Most people are confused and don’t know where to start. Even worst is the number of contractors approaching healthcare professionals trying to sell them a number of goods they don’t necessarily need, or won’t take care of the requirements.
The HIPAA Omnibus Rule by itself is not that bad if you have been keeping up with the changes in the healthcare. Regretfully that has not been the case in many offices where the interpretation of HIPAA was to get Policies and a Notice of Privacy Practices and you are done. Which means that if you have not completed your Gap and Risk analysis, update your policies annually based on regulatory changes, implemented the requirements of HITECH and so on you are now behind the power curve.
Considering that each penalty now can be as much as $1.5 million I will strongly advise you to either get on with the ball or start planning on your retirement. Anyway here are some basic steps to help you with the process:
1. Update your Notice of Privacy Practices. Remember to give a copy to each new patient and to post a copy of the same in a visible place in your office.
2. Update HIPAA security and privacy policies. HIPAA Security requirements are quite more intense that HIPAA Privacy so I strongly advice you follow the policy and document those “required and addressable” action items.
3. Train, train and train. There is too much going on to simply do one training session a year for your staff. Ask any member of your staff the following questions:
• What are the basic steps required in terms of breach notifications?
• What is the difference between HIPAA Security and HIPAA Privacy?
• Have you read the Office’s Notice of Privacy Practices? Explain the Patient rights.
Based on the answers you should be able to get a basic idea of your training needs. Poorly trained staff members are a liability which will make for costly mistakes after Sep 23.
4. Identify business associate relationships and update agreements. You also need to get “assurances” from you Business Associates regarding their compliance actions.
Also don’t forget the Affordable Care Act (ACA) compliance requirements which most people have not been paying attention at all.
We are at a time where Nike’s logo says it best: “Just do it”.