In only one week, fines commence for failing to comply with new HIPAA Omnibus rules. Eight months ago, when we all took our first look at the new Final Rule, it appeared to be loaded with changes, and the path to compliance seemed daunting. However, the past months have been filled with a plethora of information and education for both Covered Entities (CEs) and the Business Associates (BAs) that serve them.
At this stage of the game, you should have a firm handle on the nuances of HIPAA Omnibus, which you must convey to your staff in advance of the impending compliance deadline. You’ve researched the changes, updated policies and procedures, and educated staff. BA agreements have been refreshed and new Notices of Privacy Practices distributed. (If you’re still a little fuzzy about certain intricacies of the new Final Rule, the American Medical Association provides a nice summary here.)
So with one week left, what is the final task to ensure compliance and mitigate risk of OIG fines? It is a thorough check of your I.T. systems. This final hurdle must be overcome within the next week and documentation describing your compliance efforts completed.
Patient Requests for Restriction—Check Your Systems
Unique from other areas affected by HIPAA Omnibus, the management of patient requests for information restrictions to health insurers involves more than just policy change. When you accept a restriction, you have to manage it, and your electronic health record (EHR) is likely your primary means of doing so. Your IT systems need to accommodate restrictions.
They must have programmable flags for identifying information that shouldn’t be released or forwarded. These flags need to be obvious and heeded by everyone who accesses the record. Ask yourself the following questions as you fine tune your software in the coming week:
- How will the restricted record be prevented from flowing through other systems?
- How will you intercept a restricted record that may be released within aggregate health plan data, or other sources for which the patient may ask for a restriction that you have accepted?
- Will removing this data skew the results of critical information that is required for optimum quality of care?
- How will restriction requests affect situations of managed care and other payer contracts for which you are obliged to provide data?
- Does your organization allow for the restriction of separable and unbundled healthcare items or services?
- Finally, the processing of patient requests for restriction must be fully documented, workflow and policies must be updated, and staff must be informed. The plan should answer the following questions:
- How will the request for restriction be received?
- Who in particular will receive the notification and start processing the request?
- Who will ultimately approve/deny the request?
Crossing the Finish Line
September 23 will be here in one week. Although compliance with HIPAA Omnibus seems an arduous task, many of the required adjustments are policy changes, which must be comprehended and conveyed to staff. But it’s your mastery of restriction management that will go furthest toward satisfying HIPAA compliance. Pay particularly close attention to your EHR—your primary tool for restriction management. Carefully programmed to monitor restrictions, your EHR can prevent the unwanted flow of data, limiting access to that data, and moving you ever closer to the private and secure data environment envisioned by HIPAA.