We would like to make sure all of our valued clients remain up to date on the latest HIPAA developments that affect their practices. In light of the Omnibus Rule updates, and considering the looming onset of Meaningful Use 2, allow us to provide a quick refresher!
All practices should, by now, have completed a HIPAA Security Risk Assessment (RA), whether or not they have attested for Meaningful Use. As is the nature of legislation, the regulations this RA is based off of have been changed yet again. Updating the RA for these changes is a key aspect of a practice’s compliance program.
The first major change that happened with the onset of the Omnibus Rule this past September has to do with us – Business Associates. Direct liability for safeguarding patient data has been imposed, including a requirement for us to complete our own RA! Practices, however, just need to make sure their Business Associate Contracts have been updated. These should be updated as they expire, or within a year of 9/23/13 (whichever is sooner).
Breach Notification requirements were also amended. The definition of a breach of PHI has been updated; now, a breach is not reportable to HHS if a practice can determine, via a RA, that there is a low probability the PHI has been breached. Furthermore, fines cannot be imposed if the breach was not due to willful neglect and was corrected within 30 days.
The Privacy Rule has not been missed in this recent HIPAA makeover. Changes have been made to permissible uses and disclosures, patient’s right to access their PHI electronically, and restrictions on the sale of PHI. In light of this, a practice should update their Notice of Privacy Practices.
As always, Kali Systems is available to help with your HIPAA compliance efforts. We would be happy to answer your questions, assist you with your RA updates, or provide templates for NPPs and BA Contracts.