Much has been written on HIPAA so i will not replicate that here. This is a high level summary to easily address the different areas of focus;
HIPAA compliance is following the administrative, technical and physical safeguards outlined in the HIPAA law of 1996. Since then there have been a few amendments;
- The Security Rule Amendment of 2003
- The Privacy Rule Amendment of 2003
- The Breach Notification Rule of 2009 The Omnibus Rule of 2013
The Security Rule amendment
The technical safeguards requires encryption, access control and audit trails for HIPAA protected data. Security awareness training for personnel working with HIPAA protected data and establish incident response procedures to follow in the event of an incident. Lastly enforce third party contracts to hold them to the same HIPAA compliance rules.
The physical safeguards include controlling access to facilities where HIPAA protected data is stored, establish policy for workstations and mobile devices that access HIPAA data.
The administrative safeguards include risk assessment, ongoing risk management, staff training, create and audit business continuity contingencies. Finally restrict unauthorized access and document all incidents violating rules governing HIPAA protected data.
The privacy rule amendment requires prompt response to patient request, sending notice of privacy practices to patients, providing privacy training to staff, requesting permission from patient prior to using their data for reasons other than their treatment and remember to use the latest version of authorization forms.
Regarding the breach notification rule, if more the 500 people's records are compromised notify HHS, OCR and produce a press release. If the number is less than 500 notify HHS with 60 days of the breach.
In the breach report, ensure to include; 1. the description of the HIPAA protected data and personal identifiers compromised 2. Identify who gained unauthorized access to them 3. clarify if the data was viewed or downloaded/ extracted and 4. Identify any mitigation steps taken to prevent future occurrences.
The Omnibus rule requires the covered business to refresh their business associate agreements to reflect the changes of the omnibus rule and send copies to their business partners. Update their privacy policies to reflect changes in the omnibus rule. Update notices of privacy practices as advised by the HIPAA journal and finally train and confirm all personnel are aware of the new omnibus rule.