One of the biggest challenges for many of us is doing the required risk analysis that is in the HIPAA Security Rule. The industry has struggled with how to conduct this, what to cover, and how to document it. This past week the Office of Civil Rights has issues a draft guidance document about the risk analysis required by the security rule.

The document is titled “HIPAA Security Standards: Guidance on Risk Analysis” and should be reviewed if you still have not conducted your risk analysis.

The OCR is tasked with issuing annual guidance related to the security rule. Following these guidelines as they are issued will help you stay on top of what you should be doing to be compliant.

Have you conducted your risk analysis? If not, now is the time!

The US Department of Health and Human Services (HHS) released it's semi-annual regulatory agenda this week. Included in this are the updates to the HIPAA privacy, security and enforcement rules and regulations.

The healthcare industry has been waiting for specific information from HHS on how the changes brought about by the HITECH Act will impact the HIPAA rules, and next month should make this more clear.

While the notice did not specify which rules would be impacted, the Office of Civil Rights (OCR), which enforces the privacy and security rules, addressed this earlier this month with the following list:
* Business associate (BA) liability
* New limitations on the sale of personal health information, marketing, and fundraising communications
* Stronger individual rights to access electronic medical records and restricting the disclosure of certain information

Although the HITECH act was effective February 17, neither agency had released any dates as to when we can expect updated rules and regulations until this week. At least now we know they are coming next month.

I've been heavy into the revision for the Stedman's Guide to the HIPAA Privacy Rule the last few weeks. It's an exciting project and one that will now include the security rule and speak to more than just medical transcription, covering healthcare documentation in general. The HITECH Act recently enacted made some very significant changes to the HIPAA rules, and doing this writing has given me cause to wonder just how many business associates are really watching that. It's like negotiating a maze and trying to figure out how to get to the end.

The rules now require a business associate to follow them as if they were a covered entity. That means a lot more work, and it means written policies and procedures that show how you do all of the things required for compliance. It also means updated business associate contracts. Many of the people I've talked to are "waiting on the customer" to get these things done, however, that will not make you compliant and it sure won't pass an audit should your company be one that the government selects for their random audits. Someone asked me the other day if I found this exciting or scary. My response was when I think about so many smaller businesses who probably are not doing these things, it's scary. I know what a big job it is to run a business and just one big fine because you're not doing things right could have a huge impact on your business operations.

Today we have added a page here that shows some of the services we can provide. I hope you will stop and take a minute to look through that. If we can help, we're here.

What are you doing to be sure you have these things in place? Are all of your policies and procedures documented? What's your biggest struggle related to the new changes?

How many times have we heard that in our industry? In a medical report, the understanding is that if it isn't documented, it didn't happen. That is what makes healthcare documentation so critically important. It is also what makes it important that documentation is complete and correct. No physician can use the excuse "well, even if it's not written down, that IS how I did it" when they are called into court and questioned about the care they provided a patient.

Our world is now a lot more like this related to HIPAA and the HITECH Act. Do you have your written policies and procedures? Have you updated all of your business associate contracts to include the new language required by law? If not, then you are, simply put, not compliant. If it's not written down, it doesn't exist in this new world we are in now.

It's the same thing with your risk analysis and gap analysis. Have you done these? If so, is it documented? If it's not documented, then you will not be able to say it's done if you happen to be one of the unlucky ones who gets audited.

Take the time now to get the things in order that you must have to be sure you can SHOW that you are compliant. Simply saying you follow the rules just isn't enough anymore. Get it documented!

How about it? Do you have a written gap analysis? Are your policies written and well documented? What do you still need to do to assure you are compliant?

The HITECH Act was effective last month, and many of you have written to ask what you should have done by this time to be compliant. This post will give some highlights of where you should be by this time. If you're not there yet, now is the time to get it done because it means you are out of compliance.

This list covers those who are independent contractors and/or business owners. Keep in mind that an independent contractor IS a business owner, so if you are an IC with a company of one, these rules still apply to you if you contract directly with a covered entity. If, however, you contract with a medical transcription service, then you are most likely a subcontractor to them. While you do still have to follow the rules, it's a tad different in what you are required by law to have in place.

By now, you should have:

• Identified both a privacy and security officer for your company (this can be the same person, although it does not have to be).
• Performed a formal risk analysis of your systems, both for privacy and security.
• A set of formal written policies and procedures for all of the things related to the privacy and security rules. Within the security rule, you must at least address every point in the specifications even if you don't institute them. When something is not done, then addressing it must show why it was not reasonable for you to do that. In that justification, you also have to show why an alternative would not work.
• Outline a strategy for disaster recovery and access to information in the event of a disaster.
• Conducted training on both privacy and security for your staff (and security training must be done annually, which should also be outlined in your policies).
• Updated your business associate contracts to add the new language required with the changes in the rules

And that's just the start of the list! If you haven't started on this yet, NOW is the time to get something going. The law now requires audits be done to be sure people are compliant and you don't want to be the one who gets audited and is found to have completely ignored the new rules.

What have you done in your workplace to be sure these things are in place?