In today’s world of HIPAA regulations, not developing a plan for privacy compliance is risky business for healthcare providers. Multiple government agencies are actively enforcing these laws, and the penalty for non-compliance can be costly. With so much focus on HIPAA security, the HIPAA privacy rule can sometimes go unheeded. Yet the government is just as serious about enforcing privacy regulations, and enforcement is clearly within the scope of Office for Civil Rights (OCR) HIPAA audits or investigations.
When HIPAA law was updated in 2013 through the Final Omnibus Rule, privacy and breach regulations were intensified. Breach notification requirements were expanded with the intent of disclosing breaches that may have previously gone unreported by placing the burden of proof of “no harm done” on the covered entities. Furthermore, the protection of Protected Health Information (PHI) was changed from indefinite to 50 years after death, and harsher penalties were implemented for violation of PHI privacy requirements for not only healthcare providers, but also for their business associates.
Unfortunately, keeping up with complex regulations intended to safeguard patient information is a time-intensive and often ambiguous process. The HIPAA security rule alone includes over 60 components. When those security requirements are combined with the numerous and sometimes complex privacy regulations, many healthcare organizations inadvertently put privacy compliance on the backburner, thereby setting themselves up for serious fines and penalties. While vigorous security and privacy practices ultimately protect patients, patients aren’t the only ones who expect high standards. Multiple government agencies are monitoring HIPAA privacy compliance and auditing daily practices. The Health & Human Services’ Office for Civil Rights, State Attorneys General, the U.S. Department of Justice, Centers for Medicare & Medicaid Services, and Office of Inspector General all have jurisdiction.
HIPAA privacy compliance calls for covered entities using or disclosing PHI to:
- provide a Notice of Privacy Practices to patients
- create and enforce internal privacy policies and procedures
- implement employee training on those procedures
- maintain various logs, forms, and reports to provide proof they are “ensuring compliance” as “ensure” appears multiple times in the regulations
- designate an individual to oversee privacy compliance and respond to privacy-related complaints as well as establish and ensure privacy requirements with contracted business associates
HIPAA breach requirements can be just as daunting, and perhaps just as overshadowed by the security rule. Best practices for HIPAA breach compliance include continuous assessment, detection, and mitigation of the disclosure of protected health information. Notification is required if PHI is disclosed in a manner “not permitted under the privacy rule.” All such occurrences are presumed to be a breach by default, and the burden of proof is on the covered entity to prove a low likelihood of PHI having been compromised.
When it comes to penalties, compliance with the privacy rule can prevent what might otherwise be devastating fines, suits, and costly public relations headaches. Ensure your organization has the appropriate administrative, technical, and physical safeguards in place to protect the privacy of health information. When implemented correctly, proper and applicable policies and procedures, documentation, logs, reports, and audits become important defenses. By ensuring compliance, you can head off civil liabilities and lawsuits, onerous government corrective action, and maintain your organization’s integrity and reputation. So be sure that HIPAA privacy is an active component of your overall HIPAA compliance regimen!