Get up to speed on HIPAA compliance for 2015

On October 31, the U.S. Department of Health and Human Services Office of Inspector General (OIG) released its 2015 Work Plan . While the scope of the Work Plan is broad, you should know about several areas of special attention, related to HIPAA enforcement, which in recent years has become far more pro-active and aggressive.

Contingency Planning

For the first time, OIG will review hospitals’ compliance with specific HIPAA contingency planning requirements. The expectation is that hospitals have plans to assure the security of PHI in the event of any disruption of IT services. Government fines are just the start of your risk exposure – litigation awards in healthcare data breach lawsuits run in the millions of dollars. Your takeaway: This OIG action only affects hospitals directly (for the time being, at least) However, it’s a not-so-subtle nudge for ALL healthcare professionals and providers. The new year is an excellent time to review your own contingency plans and take any necessary steps to be ready in case your business is audited for HIPAA compliance.

Electronic Health Records (EHR) Technology

A more expansive OIG action will be to review health care providers’ EHR systems against “meaningful use” criteria. The first objective of this review is to ensure accurate EHR Incentive Program payments to health care providers. Additionally, OIG will review and assess EHR systems for security compliance. Your takeaway: ALL heath care professionals and providers will be subject to this OIG review, so designate an EHR technology review team to ensure that your systems are buttoned up. Yes, a reputable EHR system will have robust safeguards. However, the risk of a PHI data breach is always present.

Business Associates

Your third-party vendors (“business associates”) share responsibility for PHI security. As of September 23, 2014, HHS requires that they be in full compliance with the HIPAA Omnibus Rule. In a nutshell, this means that they have to abide by the same HIPAA regulations that your organization does. Your takeaway: Note that this compliance deadline has passed, so know your risk exposure and make plans to mitigate it. Offsite storage is an excellent, reliable option. Right now, your business associates—as well as any subcontractors they employ—must be in full compliance with the HIPAA Omnibus Rule. Check in with them on their HIPAA compliance status. If they’re falling short, discuss the consequences of their continued non-compliance.

We’re here to help!

There’s a lot to know about HIPAA compliance, and a lot to keep up with. You can count on Corodata to be your go-to resource for HIPAA expertise. Our entire staff undergoes annual training on HIPAA policies and changes, so we’re always up to date.