LIVE from MGMA13: An Action Plan for HIPAA Omnibus Compliance

Oct. 9, 2013
On October 8 at the MGMA annual conference in San Diego, Calif., two MGMA Government Affairs members and an independent attorney gave attendees a summary and analysis of the latest changes to key federal privacy and security requirements, including breach notification, business associates and new patient rights, all part of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule published earlier this year.

On October 8 at the MGMA annual conference in San Diego, Calif., two MGMA Government Affairs members and an independent attorney gave attendees a summary and analysis of the latest changes to key federal privacy and security requirements, including breach notification, business associates and new patient rights, all part of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule published earlier this year.

Since the updated version of HIPAA went into effect on Sept. 23, providers have been busy prioritizing compliance activities, understanding the breach notification rule and patients’ rights, and following new requirements related to business associates (BAs).

But there still seems to be as many questions as there are answers. Robert Tennant, senior policy advisor, MGMA Government Affairs, Amy Nordeng, senior counsel, MGMA Government Affairs, and Susan Miller, an attorney from Concord, Mass., provided a comprehensive explanation of the regulations as well as practical solutions for incorporating these requirements into a practice. 

The presenters outlined the following 12 steps to reach HIPAA compliance:

1. Begin with a thorough risk assessment

2. Review all current policies and procedures (gap analysis)

3. Identify all locations with protected health information (PHI)

4. Determine whether encryption is warranted and to what extent

5. Review your medical record retention and destruction policies to confirm that data is being destroyed properly

6. Create a cost-effective plan to mitigate top risks (i.e., physician laptops)

7. Ensure BA contracts are modified

8. Update policies and procedures

9. Train impacted staff

10. Take a cross-functional approach to compliance

11. This is a good opportunity to do a HIPAA house cleaning!

12. “HIPAA-tize” your staff

Tennant and Miller propose some more basic “best practices” organizations can deploy to better protect themselves.

  • Recognize that as patient data is being moved electronically, it becomes vulnerable.
  • Know that patients are getting more sophisticated about their own data, and frankly, more concerned about who is getting access to it.
  • Always be thinking how you can best protect your data.
  • Be very cautious, especially in regards to mobile technology. That’s where the real risk is.
  • Shred your hard drive on copiers and fax machines.
  • Encrypt your e-mail, or don’t put PHI in an e-mail.
  • Instead, load patient’s lab results, appointment notices, and prescription refills to the portal.
  •  For social media, your office needs a policy for when you will include ePHI (electronic PHI) in social media and when you will not permit it.
  • Make sure back doors of offices aren’t kept open and position computer screens so they can’t be seen.
  • Have a sign-in sheet not only for patient, but for vendors.

Healthcare Informatics has even more coverage of the HIPAA Omnibus Rule, as seen below:

The Guidance Begins to Roll Out

As HIPAA Omnibus Compliance Ticks Closer – What Should Providers Know?

In HIPAA “Possession” is 10/10ths of The Law

Looking at the HIPAA Final Omnibus Rule: An Attorney's Perspective

HIPAA Omnibus: Strategies for Compliance (Podcast)

One Big Issue the HIPAA Omnibus Rule Doesn’t Address

Sponsored Recommendations

Healthcare Rankings Report

Adapting in Healthcare: Key Insights and Strategies from Leading Systems As healthcare marketers navigate changes in a volatile industry, they know one thing is certain: we've...

Healthcare Reputation Industry Trends

Navigating the Tipping Point: Strategies for Reputation Management in a Volatile Healthcare Environment As healthcare marketers navigate changes in a volatile industry, they can...

Clinical Evaluation: An AI Assistant for Primary Care

The AAFP's clinical evaluation offers a detailed analysis of how an innovative AI solution can help relieve physicians' administrative burden and aid them in improving health ...

From Chaos to Clarity: How AI Is Making Sense of Clinical Documentation

From Chaos to Clarity dives deep into how AI Is making sense of disorganized patient data and turning it into evidence-based diagnosis suggestions that physicians can trust, leading...