As we mentioned in last week’s Webinar on the HIPAA Final Omnibus Rule, there are less than nine short months for covered entities and their business associates (and all downstream business associates) to comply with the HIPAA final rules. For those entities that have already taken steps following the release of the HITECH interim rules, the task may be a little less daunting (although policies, procedures, and NPPs must also be updated following release of the final rule), but for covered entities and business associates that have taken a “wait and see” approach to the final rule, the compliance clock is now running. September 23, 2013 is just 219 days away.
Here is a list of the key issues that every covered entity and business associate must address before September 23, 2013:
- Perform or update a Security Rule risk assessment to identify the potential risks and vulnerabilities of electronic PHI (a similar gap analysis should be performed to identify the risks and vulnerabilities of all PHI, i.e. paper files, x-rays, etc.). This is a foundational requirement that is the basis for implementing safeguards and policies that comply with the HIPAA Security and Privacy Rules.
- Encrypt, encrypt, encrypt.
- Develop or update HIPAA policies and procedures, including policies and procedures that address mobile devices and social media.
- Update and distribute Notice of Privacy Practices to reflect the provisions in the final Omnibus HIPAA rule.
- Review and update all business associate agreements to include and/or clarify breach notification provisions, indemnification obligations, and cyber-insurance requirements.
- Business associates must enter into business associate agreements with their downstream vendors who handle PHI. Covered entities, when contracting with their business associates, should review their business associates’ downstream vendor business associate agreements as part of their own due diligence.
- Develop or update breach response plan to include Final Rule’s new objective test for determining whether you have a reportable breach.
- Ensure that all employees are trained regularly to comply with your HIPAA policies and procedures. Consistently discipline employees who violate HIPAA policies and procedures.
- Consider procuring data breach/cyber insurance to cover the costs of a breach (which could include the following costs: investigation — including a forensic analysis, mitigation, notification, legal, PR, credit monitoring, fines and penalties).
We will begin a series of blog posts next week which will further analyze each of the changes in the Final Omnibus HIPAA Rule.