This all depends on where you are with your HIPAA compliance plan and the necessity to have on in place. This article, taken from an interview with Leon Rodriguez from HHS, Office or Civil Rights, highlights critical thinking covered entities, business associates and their subcontractors should be looking into and taking notice of.

Leon Rodriguez from HHS says:

  • “What we’ve been learning from the monetary settlement cases we’ve done so far is that there is plenty of non-compliance out there, plenty of room for improvement.”
  • The proposed HIPAA modifications will require business associates and their subcontractors to comply with the HIPAA Security Rule. Once the omnibus package is published, business associates will have just 180 days to comply, Industry issue is organizations trying to get Meaningful Use Core Requirement 15 completed without having their HIPAA compliance plan in place. This thought process will get organizations into a heap of trouble when the Governments starts up their next round of audits.

What does that mean for organizations, well that depends, if you are Business Associate or a subcontractor to a Business Associate, 180 days after the release of the final version of the Omnibus Rule, you will be required to be in compliance with the Security Rule. For all others, it is time to finish up, get started, move forward with tracking of you compliance plan, your policies and procedures, you training, you’re Business Associate Management along with many other parts of the regulation you need not only comply with but be able to show compliance evidence during a compliance audit.

The last issue that really concerns me for small practices is Mr. Rodriguez’s continually statements on the amount of fines that are coming down and those monetary amounts will be tied to them. Here are some quotes:

  • And be warned: Rodriguez says healthcare organizations should expect to see OCR issue more and larger monetary penalties for HIPAA non-compliance in the months to come. OCR has an “inventory” of ongoing investigations that Rodriguez expects will conclude with monetary settlements.
    No matter what you do, you must have a plan in place that includes tracking of the outcomes. You must follow the rules, HIPAA Privacy, Security, HITECH, you cannot just do some of it; you need to do it all, no matter if you’re one doctor or a multi-hospital chain. With that said, here is a short list of what you should have in place to show an auditor if you become involved in an audit.
  • Policies and Procedures for all aspects of the rule Privacy, Security and HITECH along with all revisions for the last 6 plus years.
  • Current and Past Gap Analysis’s
  • Current and Past Remediation Plans along with resolutions to the gaps
  • Training records for all employees on HIPAA and attestation to enacted policies and procedures

Read the full article at