Less than 30 Days and Counting: 6 Steps to Compliance with HIPAA
September 23, 2013 is the deadline for compliance with HIPAA‘s new regulations. In the beginning of this year, the U.S. Department of Health and Human Services issued its Final Omnibus Rule, which modified the Health Insurance Portability and Accountability Act of 1996. The Final Rule was designed to strengthen the privacy and security protections established under HIPAA, and among other things, extends many of the privacy and security requirements of HIPAA to organizations that service the healthcare industry.
28 August 2013
If your organization manages health-related data in any way shape or form, get ready because September 23, 2013 is quickly approaching.
Why is this date so important, you might ask? Well, for professionals in the health or medical industry, the answer to this question is a no-brainer. But for those not directly part of the healthcare industry, the answer may not be as clear.
For those who may not know, September 23, 2013 is the deadline for compliance with HIPAA‘s new regulations. In the beginning of this year, the U.S. Department of Health and Human Services (“HHS”) issued its Final Omnibus Rule (the “Final Rule”), which modified the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Final Rule was designed to strengthen the privacy and security protections established under HIPAA, and among other things, extends many of the privacy and security requirements of HIPAA to organizations that service the healthcare industry.
With just under thirty days left until HIPAA’s deadline of September 23, 2013, here are 6 vital steps Covered Entities and Business Associates should consider taking to ensure compliance:
- Implement Security Rule Requirements – Business Associates must take specific actions to meet Security Rule obligations. These should include a risk assessment to identify vulnerabilities and the adoption of appropriate policies.
- Update Privacy Policies – The HIPAA Privacy Rule adds new restrictions on the use of patient information and expands patient rights to access that information, among other changes. Covered Entities and Business Associates should review and revise their policies, procedures and guidelines to address the new requirements.
- Identify Business Associates – The Final Rule expands and clarifies the definition of "Business Associate," to encompass vendors and contractors that create, receive, maintain or access patient information. Covered Entities should evaluate their relationship with their vendors and contractors to determine if they fall under this new definition of Business Associate.
- Identify Business Associate "Subcontractors" – Subcontractors that create, receive, maintain, or transmit protected health information on behalf of a Business Associate are now also considered "Business Associates.” Entities that contract directly with Covered Entities should evaluate whether their subcontractors are "Business Associates" – and if so, whether they meet HIPAA's requirements.
- Update Business Associate Agreements – The Final Rule includes a requirement to amend Business Associate Agreements to contain additional provisions. Organizations should consider revising their Business Associate Agreements in accordance with the new requirements.
- Update Breach Notification Polices & Procedures – The Final Rule significantly altered HIPAA’s Breach Notification requirements. Covered Entities and Business Associates should consider updating breach notification policies and procedures to address the new requirements.
In light of the updates made to HIPAA under the Final Rule, it’s imperative that affected organizations begin complying with the new requirements as quickly as possible. Whether you’re a healthcare provider, vendor or contractor, use your last few weeks before the deadline to check that you’ll be in compliance.
As the volume of information exchanged increases between entities that routinely handle patient data, it will be important to keep sensitive information protected. Using a secure storage and sharing platform can help mitigate this risk.
For more information on the new HIPAA regulations and how it impacts organizations, please watch our webcast ”Data Sharing and Compliance in the Healthcare Industry.” To learn more about Intralinks' solution for secure content management and collaboration, see Intralinks VIA™.
The information contained herein does not constitute legal advice and is for informational purposes only. Organizations should consult with their own legal advisors regarding the requirements and implications of all rules and regulations discussed herein.