NEW DEADLINE: September 23, 2013
The new HIPAA Omnibus rule became law on March 23, 2013. The main provisions of the Rule, which include new requirements for healthcare organizations, insurance companies, hospitals, clinics, pharmacies, dental practices and many other organizations, also include Business Associates, which means any organization that has access to patient medical records (PHI- Protected Health Information).
So all the data managers, the data storage companies, the lawyers and countless other companies who are part of flow of healthcare and medical data also have to have a completed HIPAA Risk Analysis by September 23, 2013!
For primary healthcare providers, to be in compliance with the HIPAA Omnibus Rule, they have to revise all their policies and procedures, and also rewrite their contracts with business associates, to place responsibility for data protection on the business associates. And business associates have to apply the same policies to their subcontractors too. So thousands of policies and contracts are being furiously re-written, as I write this!
Completing a HIPAA Risk Analysis is the best way to prepare for the deadline, and also to pinpoint any area where your organization needs to
improve a control, a policy or their operating procedures. As a core HIPAA requirement, the Risk Analysis is a kind of summary of where the organization is in relation to all the HIPAA Rules, including HIPAA Privacy, HIPAA Security, NIST SP 800-66, the Office of Civil Rights, and the
Breach Notification Act.
There are great software tools available to help managers do a HIPAA Risk Analysis (like my HIPAA Risk-Pro program), available online at
www.flash-risk.com, or, as another option, many other organizations are hiring HIPAA consultants to come in and do a Risk Analysis for them.
So if you are a healthcare organization, or a designated business associate, you can start your HIPAA Risk Analysis on Tuesday, Sept. 3,
and have it completed by the deadline.
The Office of Civil Rights has a big pot of money, collected from fines, and they have hired more investigators to go out and audit all these organizations for HIPAA Compliance. Recently a small hospice in Idaho was fined $50,000, and a physicians practice in Arizona was fined $100,000, and
many other organizations, including states and health plans, have been fined more than $1,000,000 for a variety of violations, including not
having a current Risk Analysis.
For more information on how to do a HIPAA Risk Analysis, you can write to: info@riskandsecurityllc.com and get a free HIPAA Risk Analysis Guide, a free Project Plan, and a copy of exactly what the OCR Regulators look for when they conduct a HIPAA audit.