Giving a patient medications in the ER, having them pop positive on a test, and then withholding further medications because…
Advisory Panel: HIPAA Omnibus Rule
The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.
If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.
This question this time: Are your organization’s executives paying a lot of attention to the HIPAA Omnibus Rule or is it just business as usual?
It has been difficult to get executive attention on HIPAA security topics in general. We are going to use the HIPAA Omnibus rule to kick start a new education and training program across the entire organization. We will start with executives first.
Pretty much business as usual.
No, or if they do, we are not aware of it, which is just the same. Business as usual — the yearly training from a hired overpaid consultant so we can check the box for compliance.
[vendor member response] We are paying a lot of attention. As part of a recent acquisition, we are now part of a larger organization that is working to extend coverage of HIPAA, HITECH, and the BAA more broadly.
Business as usual.
It’s primarily business as usual, however, there are some provisions of the rule that may require us to revisit many of our third-party contracts. That has the potential to be a major endeavor, so it is something we are evaluating now.
Business as usual.
IT executives are because we are also on the hook for data security. The ability to not share data on specific encounters defined by payer type (insurance vs. self pay) concerns me a lot. I am not sure the HIS/ EMR/ EHR vendors are ready. I can’t say any of our other executives have even read a brief on the Omnibus rule.
[vendor member response] We are very concerned about the increased risk/liability for breaches. This is a big concern when using contractors. Our clients are not knowledgeable about the changes and truly not focused on it at all. On the ambulatory side of things, practices, even larger ones, are so swamped with EMR/EHR, and revenue loss from managed care that they consider HIPAA a done deal.
No. They are not at all, even after several attempts to raise awareness.
The organization is ignoring the rule, but the expectation is that IT and HIM stay on top of it. I don’t have a problem with that and so IT/HIM are finishing up our changes in order to comply.
We hired a CISO out of the military with a background in technology security. She makes sure the execs are paying attention. We have a team that consists of privacy officer, corporate compliance, audit, and CISO. They meet regularly to address all aspects of HIPAA and HITECH requirements including education.
It is business as usual with no real interest from the senior team or the board.
Our Privacy & Security Officer are, and they’re slowly getting the attention of leadership. We addressed a lot of the changes in the proposed rule, so we don’t have as much to address as we would otherwise.
Business as usual.
[vendor member response] Within our customer base I am seeing customers starting to pay attention to making sure all BAAs are updated and signed. However, I have had a couple of folks tell me there is no ‘hurry, since we have until early fall to totally comply.” I personally am not hearing of any urgency to meet the rule within any conversations I am having at the executive level. I am hoping that urgency is there just not being expressed to me!
Business as usual.
Some attention — trying understand implications…
Except for Compliance, Legal, and IT, it hasn’t had a lot of attention. Many vendors, especially small to mid-sized cloud hosting vendors, have not fully realized the implications.
Appropriate attention has been paid by those over that area.
Our executives have reviewed the rule to see where we need to comply and what actions to take.
Yes. his has been an agenda item for our executive-level compliance, privacy steering committee. As a result we’ve modified our business associate agreement, are in process of rewriting notice of patient’s right to privacy, same with data breach evaluation criteria.
Just business as usual. Haven’t heard it come up even once.
Business as usual.
Business as usual. We are overwhelmed right now with MU and NCQA. So many regulations, such limited staff to execute.
If anyone is paying attention to this, it is hard to tell.
More of business as usual. The interpretations and evasions are so vast and pandemic that it more of a series of workarounds than a policy.
All with active BAAs are being touched. Mail-merged form letter, follow-up phone call, lawyer letter if still no response.
Wow. Those are some scary answers. Maybe you’d be doing all of us a favor by developing a HIPAA Omnibus Rule 101 series for HISTalk!!!!
I think there is still considerable confusion and aversion over the definition of Business Associate. In the previous rendition of HIPAA, business partners were fine signing the BA because they had no skin in the game. Now under the new rulings there is definitely implications to being a BA. I know myself that I am starting to receive new BA Agreements now, and their BA definitions would leave any vendor who does not transmit PHI out of the equation, which I am fairly certain is not the case.
From my work with vendors I think it still has not hit home. The new Rule moved them from bystanders to ‘participants’, a change that still has yet to resonate.. As with many of these regs the rubber will meet the road when one of them gets hit with that $1.5 mill fine. And given the frquency of lost/stolen thumb drives, laptops, etc, it won’t be long.
Working with/for a Regional Extension Center, I spend a great proportion of my time guiding/coaching covered entities through the required HIPAA Security Risk Analysis and Incident Response team protocols/policies and procedures. HIPAA Omnibus compliance dates for Sept 23rd 2013 are top of mind for medical practices, small and critical access hospitals, rural health centers and FQHC in order to meet Stage 1/ Year 1 /2 /3 of the CMS EHR Incentive program. And living and working in Idaho, we have unfortunately received the first ever fine/penalty for a breach under 500 patients as well as the 1st fine (of $400,000.00) for over 500 patient records in 2013. It is on our minds and action plans are in motion, but there is a lot to do! Your Regional Ext Center most likely has great resources in the are of HIPAA Privacy and Security; as I am certain about the WA & ID Regional Ext Center.