Plan of Attack for HIPAA 2.0

Where do you get started with all these changes? It is important to understand that HIPAA 2.0 compliance means more than just having an annual training session and a book of policies on the shelf.  HIPAA 2.0 means regular training in all areas of your business and documentation of everything including regular reviews of your compliance status.   Under HIPAA 2.0 you have to PROVE you are compliant with documentation of your activities.

  • Business Associate requirements have the most extensive changes under HIPAA 2.0. Get the ball rolling to deal with those issues immediately.
    • Both CEs and BAs have to determine who they use as Business Associates and make sure they are compliant.
    • Obtain updated Business Associate Agreements from your legal sources
    • Do a review of your workflow to make sure you have a complete list of BAs that need agreements signed
    • Review your Accounts Payable and 1099s issued to make sure you have all your BAs identified
    • BAs must also make sure they have agreements in place with all their subcontractors and BAs
    • Define the risk levels and priorities in your business of your BAs based on PHI access and how much you rely on them
    • Begin performing due diligence or audits of your BAs to determine their level of compliance readiness
    • Follow HIPAA guidelines for dealing with BAs that either don’t accept they are BAs or choose not to comply
    • If you are a BA, get to work on your compliance documentation, policies and procedures so you can be proactive by supplying your compliance and help out your CE clients workload
  • Notice of Privacy Practices must be reviewed and updated by every CE.
    • Get started on the updates to address the Privacy Rule changes
    • Plan what method of distribution you will use
  • Perform a complete and thorough Risk Analysis as defined in the Security Rule.
    • It is the first step written directly in the Security Rule
    • According to the 2012 Audit findings, a Risk Analysis isn’t done in many cases
  • There will be issues found in your Risk Analysis that must be addressed in some manner.
    • Document your plan to show how you plan to address every one of them.
    • Document all the reasoning behind your decisions in your plan.
    • It isn’t important to be perfect, it is important to have a plan.
  • Complete the updates to your formal policies and procedures to address
    • Privacy changes
    • Breach Notifications requirements
    • Business Associate requirements
  • Document everything.  Documentation is your key to proving compliance is happening in your practice or business.
    • Document that you are going to document everything
    • Document that you talked about documenting everything.
    • If any conversation or action you do has to do with HIPAA in any way, document it
  • Begin training ALL staff members as soon as possible even if it is on small portions of the changes being implemented.
    • Training should happen regularly, no longer just once a year so build a training plan.
    • Document when, what, where and who you train each time.
    • Even document if you do one-on-one training for any staff members.
  • Plan when you are going to take these steps and document it. Compliance deadline is September 23, 2013

If compliance levels of your business haven’t been up to par with what is expected under HIPAA 1.0 you will likely have a great deal of work to meet HIPAA 2.0 requirements on time.  The project as a whole can be pretty overwhelming.  Get help with your risk assessment, project management and compliance plan if you don’t know where to start.  Getting started is the most important step now.  The appearance of willful neglect is what you want to avoid at all costs.  Show you are making a serious effort and you should be able to avoid that classification.

Filed under: HIPAA Tagged: Breach Notification, Breach Notification Rule, Business Associate, Business Associate Agreements, Business Associates, Compliance, HIPAA, HITECH, Privacy Rule, private patient, Risk Analysis, Security Rule, Small Provider, Training