Hi All,
What usually happens is that I send out one of these messages about how a rule is expected any day, and the next day the rule comes out. Well, we're there again with the giant update to HIPAA, expected out by year end, even though the folks at HHS OCR won't give us a date. I'll expect the giant omnibus HIPAA update to be announced any day now that I'm sending out this message about it's not being announced yet. I'll cover a little about what to expect, about how HHS has finally announced more about the new Audit program now actually getting under way, and about a new tool to assist with HIPAA Security Rule compliance, being released shortly by NIST.
-- The Big HIPAA Rule Update
The big update is actually coming, as was represented by HHS Office for Civil Rights deputy director Sue McAndrew on October 25th at the WEDI fall conference. She refused to give a date as to when, but it did not appear on the slide of what to expect in 2012, so I'll read between the lines and say it will be out by year's end.
What is it? It is a final rule for all the proposed and interim final rules affecting HIPAA that have been put forth over the last few years, including all the HITECH changes (with one important exception), and the Genetic Information Nondiscrimination Act (GINA). It includes breach notification, new violation categories and penalty levels, covering Business Associates and their subcontractors directly under the regulations, rights of electronic access of electronic PHI, new restrictions on disclosures, revisions to Business Associate Agreements, and pretty much everything that's been put forth EXCEPT for the changes to Accounting of Disclosures. The changes to Accounting of Disclosures were just proposed this last summer and HHS has not had the time necessary for absorbing and reacting to all the comments that were submitted about the proposal. I wouldn't expect to see a final rule on Accounting of Disclosures (and the dreaded Access Report) until later in 2012, or 2013.
So, everyone who has to deal with HIPAA will need to deal with the final rule changes once they're issued. I'll let you know when it comes out and what will need to be done differently from what you're already doing. Remember, the interim final rules, like for Breach Notification and Enforcement, are already enforceable, so you should have a lot of what will be needed in place already, but more changes to policy and procedures will be required. Most of the changes affect Privacy Rule sections, and the Security Rule is essentially unchanged, except for the addition of BAs to the listings of who must comply.
What can you do now? Start finding and prioritizing your BAAs for renewal, and do your best to come up with new BAA wording that will meet the proposed regulations, which are not expected to change in final form for this topic area. If you start using BAAs that meet the new language requirements now, you probably won't have to update those later. Update the ones for BAs that handle the most PHI or the most detailed PHI first, as those are likely to be your bigger breach risks, and include the proper language for notification, liability, and indemnification of breaches.
And dig out your HIPAA Privacy policies and start looking at changes you need to add for the new Privacy rights for electronic copies and restrictions of disclosures. Don't forget that as you change policies and patient rights change, you'll need to update your Notice of Privacy Practices.
In short, start getting ready for the changes; they're coming soon now, really they are.
-- HIPAA Audit Program Now In Action
Of course, new violation categories and penalty levels wouldn't be any fun at all without a new audit program to find violations, and the new one required by the HITECH Act is finally rolling, with the first "auditees" being notified right now. First they're looking at 20 entities by the and of April to work the bugs out of their program and protocols, and then they'll do up to 150 covered entities total by the end of 2012. No Business Associates this time -- I don't think HHS really has any way to figure out who are the BAs from whom they can draw a random sample, so this will be a difficult legislative mandate to meet, for the BA reviews. And Sue McAndrews, in the same presentation at the WEDI conference, said that the 150 is just an upper limit, and that they may not get to all 150 by the end of 2012. So, it's only Covered Entities, and not necessarily 150.
Well, no matter, the program is now under way, so any covered entity, even with no complaints having been filed or breaches having been reported, could be hit with an audit by the KPMG team implementing this first program, and even if they only do 100, you or someone you know will probably get put under the HIPAA microscope. Now is the time to review your compliance, and be ready for the changes. If they ask you, you'll have only 10 business days to respond, which is no time at all.
Here's a link to the HHS page all about the program: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
And here are some links to HIPAA Audit questions that have been asked in the past -- get comfortable with these and you'll be in better shape than most:
http://tinyurl.com/2ac9jm - http://tinyurl.com/27eakjz - http://tinyurl.com/3jpoa4p
I'm hoping that current details about what goes into the new audits will be made available soon -- it's always better to have some clear idea of how to prepare and what to expect. I'll let you know if I find out more (and, of course, check the www.lewiscreeksystems.com website regularly).
-- New NIST HIPAA Security Toolkit Coming Soon
Another great thing discovered at this fall's WEDI conference is that NIST is about to release a new HIPAA Security Toolkit that is a no-cost web-based application written in Java, available for Windows, Mac OS, and a number of Unix platforms. The Toolkit steps the person using the toolkit (and it can individually track several toolkit users in one institution at once) through a series of questions reflecting the HIPAA Security Rule and all the relevant NIST publications (SP 800-53 series, SP 800-66, etc) for Security Rule compliance.
The toolkit wisely avoids little tricks like giving you a meaningless summary such as a "level of compliance" -- but it does point out the areas where you weren't able to supply enough information to show you are in compliance. It will be updated as rules and normal security procedures change, and the results will be updated automatically. Based on the demo I saw at the WEDI conference, the toolkit will be an excellent weapon in the HIPAA compliance arsenal, and while it won't be the kind of thing that turns an office manager into a security expert, it will enable those who do HIPAA security analyses to develop consistent, repeatable results, which is a breakthrough at the $0 price point.
I know it will be a part of my arsenal anyway, and I'll pass along the info as soon as I find out it's released. (I've got a contact inside the project, so I'm sure to know ASAP when it's publicly available.)
-- In the meantime...
Please have a safe and happy Thanksgiving holiday week!
Jim