Manage Learn to apply best practices and optimize your operations.

After HIPAA Omnibus Rule 2013: How to implement continuous compliance

Expert Mike Chapple explains why the HIPAA Omnibus Rule 2013 presents an opportunity for organizations to embrace a continuous compliance approach.

"Scramble -- it's compliance time!" Words to this effect are uttered in the hallways of many offices as HIPAA-covered entities begin a mad dash toward ensuring that their business practices are compliant with the Health Insurance Portability and Accountability Act (HIPAA). Such efforts might be tied to an annual risk assessment, board meeting or other event that triggers a compliance review, but are usually characterized by a period of mild panic as staff members verify that the organization is meeting its HIPAA obligations.

As covered entities around the nation settle in to the HIPAA Omnibus Rule 2013, it's an excellent time for an organization to question its own compliance practices.

As covered entities around the nation settle in to the HIPAA Omnibus Rule 2013 that went into effect last September, it's an excellent time for an organization to question its own compliance practices. Are you guilty of the last-minute annual scramble? If so, consider whether your organization's information security practices allow it to comply with HIPAA's security provisions on a continuous basis, rather than performing a once-a-year health check. This continuous compliance approach reduces the risk of protected health information (PHI) being breached, as well as minimizing the stress on teams charged with maintaining HIPAA compliance.

How the Omnibus Rule transforms HIPAA

The Omnibus Rule makes two changes to HIPAA's Security Rule that are of note to security professionals. These involve modifications to practices surrounding data breach notification and business associates.

Organizations who experience an impermissible use or disclosure of PHI must presume that a breach has taken place, and notify both the affected individuals and the Department of Health and Human Services (HHS). If a company has not already modified its incident-response procedures to adopt these new guidelines, it should do so immediately.

HHS now also has the authority to regulate the activities of the business associates of covered entities. Covered entities should review any current business associate agreements to ensure that they require the business associate to comply with the Security and Privacy Rules. Business associates must also ensure that they are complying with the provisions of those rules, as they are now directly responsible for doing so under the law.

Moving to a culture of continuous compliance

While reviewing PHI handling practices, it's also a good time for an organization to do a complete HIPAA checkup. First, an organization should determine whether its information security practices are sufficient for complying with all of the provisions of the HIPAA Security Rule, and then it should look for ways to adopt the principles of continuous compliance, which can ensure that it remains compliant through the year and become immediately aware when a gap in compliance occurs.

To create a culture of continuous compliance, healthcare organizations need to build comprehensive compliance plans based around any relevant HIPAA obligations, which means getting a grip on documenting compliance controls and figuring out how to maintain that documentation. Outlining each element of the HIPAA Security Rule and documenting specific business practices will hopefully develop a shared understanding within the organization of the processes that enable HIPAA compliance.

As these compliance plans are developed further, think about ways that automated monitoring procedures can be incorporated into the process, with the goal here ultimately to reduce the burden on IT staff and allow an organization to be continually aware of its compliance status. For example, the data backup plan control required by the HIPAA Security Rule specifies that an organization must "establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information." The rule only specifies that backup procedures be deployed, but, while those procedures might be reviewed during an annual audit, it does not require the implementation of an automated testing regimen. If you implement an automated test that verifies backups are performed properly and then notifies IT staff when the process fails, the organization now has the ability to continuously comply with the data backup plan requirement. If the control fails, IT staff will know immediately and be able to remediate the situation, rather than waiting for a future HIPAA assessment to uncover the failure.

Embracing an opportunity

Though there may be the natural tendency for organizations to view the HIPAA Omnibus Rule as another compliance hurdle, I would suggest thinking of it as an opportunity to stop the mad dash to compliance in your organization and introduce a calmer, more continuous approach to meeting regulatory obligations. Investing a little extra time during the development of compliance plans can save an organization countless hours of rework in future years, and generate the side benefit of not scrambling to meet HIPAA requirements once a year.

About the author:
Mike Chapple, Ph.D., CISA, CISSP, is senior director for IT service delivery at the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, and is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and the Security+ Training Kit.

This was last published in April 2014

Dig Deeper on HIPAA

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I appreciate your insight, Mike, on the benefit of creating standard operating procedures in the IT organization that addresses ongoing compliance to HIPAA regulations rather than taking a checklist approach at the time of the annual audit
The benefits of creating a standard operating procedure rather than an annual checklist at audit time are huge!
Healthcare organizations that allowed it's employees to share the required data with providers, trading partners, etc. with email, local ftp, cloud services and other media that they were most comfortable using. This creats a security nightmare for the the IT staff responsible for the security of that data. We eventually found and implemented a MFTP solution called GoAnywhere from Linoma Software. This not only allowed us to encrypt and secure our file transactions, but it also allowed us to give access to our users in the methods that they were already comfortable with. With a little end user training on our Security Policies and Procedures, GoAnywhere helped make the transition to greater compliance to HIPAA regulations easier and more effective than any other solution that I've seen.
Productivity increased as we implemented automated scripts and scheduling of much of our repetitive data transactions to the multitude of trading partners. Take a look at for more information
A risk analysis exercise to be carried out as the first step toward implementing HIPAA controls, and eventually achieving HIPAA compliance. SISA’s HIPAA risk analysis approach focuses on conducting an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity