HIPAA... How Is Your Program Evolving?
Concepts associated with HIPAA privacy and security have continued to evolve from the initial inception of the rules and HITECH, Affordable Care Act, and Omnibus updates over the last several years. This means that if your HIPAA program is stale, unchecked, or unchanged, you are at risk for enforcement or data compromise. Your organization should be evaluating new publications and activity surrounding these regulations to prepare and anticipate regulatory enforcement and standards for performance. HIPAA is a minimum standard, but your organization can always exceed the standard. Furthermore, the HHS Office for Civil Rights (OCR) is responding to changes in technology, cultural perceptions, other regulations, and emerging trends.
The OCR has been actively releasing new guidelines, fact sheets, FAQs, and audit resources that your organization should closely review. While these are not revisions to rules, they offer clear insight into the OCR's interpretation and expectations for scope and applicability of HIPAA regulations with reference to covered entities and business associates. In reviewing the OCR audit protocol as well as the 2016 desktop audit plan, healthcare entities should be reviewing the details describing what the OCR is requesting to meet both privacy and security standards. The OCR is asking detailed questions about processes, demonstrating evidence, and communication across the organization. This provides valuable information about documentation requests, policy content, and oversight requirements that the OCR would anticipate reviewing from your organization.
The OCR has also demonstrated increased enforcement with regularly published settlement agreements outlining HIPAA infractions and remediation specifications. Every enforcement action lessens the ambiguity of the OCR's expectations and minimum standards. Each area of enforcement described in the corrective action plan within an individual agreement communicates important details to meet the OCR's measure of success under HIPAA and the extent to which recommendations apply—including policies, data, process, individuals, and systems.
The National Institutes of Standards and Technology (NIST) is often cited as an industry standard under HIPAA security regulations. The NIST Special Publication 800 series addresses computer security with publications and guidance that include technology criteria. NIST regularly publishes updated and revised standards to respond to technology changes and emerging trends that are appropriate for federal security management. These can be of significant value since HIPAA security regulations are conceptual and have limited specifications and benchmarks. Using NIST can provide you with more detail on criteria and framework that can be considered for achieving the principles of HIPAA. Understanding and evaluating the changes associated with NIST standards helps you align with HIPAA security standards and stay up-to-date with security trends.
|Simple HIPAA compliance standards are tricky enough to make sure your organization is best adhering to the updated standards. With additional information constantly disseminating from great resources like the HHS Office for Civil Rights (OCR) and National Institutes of Standards and Technology (NIST), here are a few resources to bookmark for a quick reference guide:
Carrie Aiken serves as the Associate Director of Corporate Compliance and Privacy Officer for Navitus Health Solutions. In this role, she provides active leadership and support for the Navitus Corporate Compliance Program, and acts as the HIPAA Privacy Officer.
Carrie has over 25 years of experience across several healthcare disciplines including physician, hospital, home health, and pharmacy, as well as contracting and revenue cycle. She has been involved with HIPAA since the inception of the privacy and security rules and currently participates in the HIPAA Collaborative of Wisconsin Privacy Work Group. She manages compliance-related work plans and risk assessments, and participates in the development of policies and procedures, education, reporting, risk analysis, and mitigation.
Carrie seeks to maintain the excellent momentum of Navitus' current compliance state and deliver this message to clients, pharmacies, and members. She also actively ensures integration between operations and compliance as Navitus grows and new risks emerge.
Prior to joining Navitus, Carrie spent 10 years at SVA Healthcare Services as the Compliance and Consulting Manager and Privacy Officer.
Carrie is certified in Health Care Compliance through Health Care Compliance Association (HCCA), and serves on the Board of Directors for the Wellness Compliance Institute. Carrie earned her B.A. from the University of Wisconsin-Madison, where she studied Anthropology and African Languages and Literature.