Is Your Organization Fully Omnibus Rule HIPAA Compliant?

Key Notes of Health Care Compliance

From HIPAA Exams, Inc.

March 2014

Is Your Organization Fully Omnibus Rule HIPAA Compliant?

September 23, 2013 is long past, but compliance is still the priority!  With the rise of the mobile workforce, compliance may be difficult; however, it is absolutely necessary to avoid costly penalties. 

Review the checklist below to see how you measure up in Omnibus Rule HIPAA compliance.

  1. Have you appointed a Privacy Officer?**
  2. Have you appointed a Security Officer?
  3. 3.    Have you complied with all required HIPAA Security Rule requirements to implement safeguards: administrative, technical, and physical? Document this implementation!
    1. a.    If you did not implement any of the security standards, you must document your reasons for not complying!
    2. Have you updated your Notice of Privacy Practices (NPP) and posted the updated NPP on your organization website?**
    3. Have you amended your Business Associate Agreements (BAAs) to include the additional required HIPAA provisions?
      1. Remember, existing compliant BAAs must be amended by September 23, 2014. New BAAs must have been completed by September 23, 2013 and contained the Omnibus Rule mandated requirements.
      2. Have you trained or retrained your workforce on all of the new Omnibus Rule HIPAA requirements including security workforce training?
        1. Training of all workforce is mandated under the HIPAA Privacy Rule on policies and procedures with respect to PHI.
        2. Training is mandatory! Document all training!
  1. 7.    Have you established policies and procedures for providing access to electronic protected health information (ePHI) to third parties when requested by an individual? 
    1. a.    Document the policies and procedures!
    2. 8.    Have you conducted an annual security risk assessment?
      1. a.    Is this assessment and results documented?
      2. 9.    How are you addressing any issues in the risk assessment?
        1. a.    Document your action items. 
        2. 10.  How are you ensuring that ePHI is secure? Are you using encryption or destruction?
          1. a.    Document this in Security Policies and Procedures.
          2. 11.  Do you have Policies and Procedures in place for breach notification should one occur?
            1. a.    Make sure that your policies and procedures include the “low probability of compromise of ePHI” test.
            2. b.    Document all breaches involving fewer than 500 individuals to your annual reporting to the Department of Health and Human Services (HHA) as required by HIPAA.

Key takeaways from this checklist:

  • Document, document, document
  • Train, train, train
  • Secure all PHI
  • Comply, with data protection regulations.
  • Avoid costly breaches!

Be ready if an audit comes!

Stay current with HIPAA requirements through current educational online learning through HIPAA Exams, Inc.  Current educational modules are available for Business Associates, Administrators, Health Care Providers, Nurses, Medical Office Staff, and other Health Care workers.

** Applies to Covered Entities (CEs) only.