Dental and Medical offices have until September 23, 2013 to get into compliance with the new HIPAA Omnibus rule released in January. This does not mean you can wait until September, a breach now will still bring fines as well as the bad press associated with a breach.
Consider these steps as part of your implementation plan:
1. Conduct a risk analysis as required by law. By conducting a risk analysis, you will determine what specific risks your organization faces. From there, you can create a list of actions you need to take and set priorities. With a risk analysis, you will find out whether you are missing a particular policy or need to update a certain procedure.
2. Amend your Notice of Privacy Practices. Some organizations may not have looked at this for years or delayed updating their notice until HHS published the final rule. Review your existing Notice of Privacy Practices and be sure you address the additional patients’ rights included in the final rule. It’s a good springboard to begin to address all the actions you must take. For instance, under the final rule a patient has the right to direct an organization to transmit his or her PHI electronically to a third party. That gives rise to a review of policies and procedures and draws others, such as your medical records and information technology leaders, into the process. That collaborative effort can build momentum as you implement all of the final rule changes. Once it’s revised, make sure the new Notice of Privacy Practices is properly posted and distributed. You will need to provide it to new patients and make the revised notice available to existing patients.
3. Check with your Insurance agent to make sure you have Data Breach Insurance. Most insurance companies have dropped this from their policies.
4. Make sure that you are using; Encrypted backups that are offsite at all time, a secure password policy, business class Antivirus, Encrypted email and that you have a data disaster plan.
Why is it so important to comply now?
- Enforcement of HIPAA and HITECH has moved from Department of Health and Human Services to the Office for Civil Services which has hired a former federal prosecutor to enforce compliance.
- The State Attorney General offices now have the authority to investigate and fine for breaches and violations separately from the Federal Government.
- The Business Associate Agreements required for all contractors and vendors that come in contact with PHI including any sub-contractors or 3rd party vendors they use. The Covered entities and Business Associates are liable for the acts of their Business Associate agents.
- Federal fines were increased to $1.5 million for violations per type of violation. This amount is not a maximum of all fines but a maximum per type of violation per year.
Click here for a free risk assessment and more information.