"Scramble -- it's compliance time!" Words to this effect are uttered in the hallways of many offices as HIPAA-covered...
entities begin a mad dash toward ensuring that their business practices are compliant with the Health Insurance Portability and Accountability Act (HIPAA). Such efforts might be tied to an annual risk assessment, board meeting or other event that triggers a compliance review, but are usually characterized by a period of mild panic as staff members verify that the organization is meeting its HIPAA obligations.
As covered entities around the nation settle in to the HIPAA Omnibus Rule 2013, it's an excellent time for an organization to question its own compliance practices.
As covered entities around the nation settle in to the HIPAA Omnibus Rule 2013 that went into effect last September, it's an excellent time for an organization to question its own compliance practices. Are you guilty of the last-minute annual scramble? If so, consider whether your organization's information security practices allow it to comply with HIPAA's security provisions on a continuous basis, rather than performing a once-a-year health check. This continuous compliance approach reduces the risk of protected health information (PHI) being breached, as well as minimizing the stress on teams charged with maintaining HIPAA compliance.
How the Omnibus Rule transforms HIPAA
The Omnibus Rule makes two changes to HIPAA's Security Rule that are of note to security professionals. These involve modifications to practices surrounding data breach notification and business associates.
Organizations who experience an impermissible use or disclosure of PHI must presume that a breach has taken place, and notify both the affected individuals and the Department of Health and Human Services (HHS). If a company has not already modified its incident-response procedures to adopt these new guidelines, it should do so immediately.
HHS now also has the authority to regulate the activities of the business associates of covered entities. Covered entities should review any current business associate agreements to ensure that they require the business associate to comply with the Security and Privacy Rules. Business associates must also ensure that they are complying with the provisions of those rules, as they are now directly responsible for doing so under the law.
Moving to a culture of continuous compliance
While reviewing PHI handling practices, it's also a good time for an organization to do a complete HIPAA checkup. First, an organization should determine whether its information security practices are sufficient for complying with all of the provisions of the HIPAA Security Rule, and then it should look for ways to adopt the principles of continuous compliance, which can ensure that it remains compliant through the year and become immediately aware when a gap in compliance occurs.
To create a culture of continuous compliance, healthcare organizations need to build comprehensive compliance plans based around any relevant HIPAA obligations, which means getting a grip on documenting compliance controls and figuring out how to maintain that documentation. Outlining each element of the HIPAA Security Rule and documenting specific business practices will hopefully develop a shared understanding within the organization of the processes that enable HIPAA compliance.
As these compliance plans are developed further, think about ways that automated monitoring procedures can be incorporated into the process, with the goal here ultimately to reduce the burden on IT staff and allow an organization to be continually aware of its compliance status. For example, the data backup plan control required by the HIPAA Security Rule specifies that an organization must "establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information." The rule only specifies that backup procedures be deployed, but, while those procedures might be reviewed during an annual audit, it does not require the implementation of an automated testing regimen. If you implement an automated test that verifies backups are performed properly and then notifies IT staff when the process fails, the organization now has the ability to continuously comply with the data backup plan requirement. If the control fails, IT staff will know immediately and be able to remediate the situation, rather than waiting for a future HIPAA assessment to uncover the failure.
Embracing an opportunity
Though there may be the natural tendency for organizations to view the HIPAA Omnibus Rule as another compliance hurdle, I would suggest thinking of it as an opportunity to stop the mad dash to compliance in your organization and introduce a calmer, more continuous approach to meeting regulatory obligations. Investing a little extra time during the development of compliance plans can save an organization countless hours of rework in future years, and generate the side benefit of not scrambling to meet HIPAA requirements once a year.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.