HIPAA myths date back to the first of several administrative simplification rules. Now HITECH myths also abound. It is true the Office for Civil Rights (OCR) is not enforcing a number of the privacy and security provisions of HITECH but that does not mean it is to be ignored or wait to comply after all HITECH rules have been finalized.
Most of the changes to the HIPAA Privacy, Security and Enforcement Rule are in effect now and have been since February 2010. The rules may not be final but the statute is. Also, while OCR is not enforcing all of the provisions of HITECH, state attorneys general are. Several covered entities and business associates have found themselves called to court because related to the filing of cases in federal court by several different states.
The breach notification interim final rule was enforceable September 2009 and the enforcement interim final rule was enforceable February 2010. These are rules OCR is now enforcing. This means the breach of unsecure PHI, electronic and non-electronic, may need to be reported to individuals and OCR. If the breach involves 500 or more individuals, you can expect a call from OCR not too long after you report the breach to OCR and your organization's name will be added to the list of covered entities who have reported breaches of 500 individuals or more on the OCR public web site.
OCR has been active enforcing compliance with the HIPAA Privacy, Security and Breach Notification Rules. This has led to the levying of large civil penalties or agreed to monetary settlements, the requirement for external monitoring of compliance or both. Also, enforcement may follow complaint investigation and the new OCR HIPAA audit program has not replaced other mechanisms of enforcement.
The purpose of this webinar is to provide an overview of the HITECH privacy, security, and enforcement requirements. The webinar will cover how HITECH and HIPAA match up and provide resources related to what requirements mean and how they apply to covered entities and business associates.
Participants will walk away with the compliance tools and guidance needed to comply with existing statutory requirements and the already in effect interim final rules. This includes a compliance check list and a list of templates that need to be updated from the business associate contract to the notice of privacy practices.
Enforcement provisions and how that impacts covered entities and business associates will be reviewed. This includes enforcement related to breach notification, enforcement related to complaints filed with OCR, and the OCR HIPAA audit program which launched November 2011. Now that enforcement activity has picked up and may involve small to very large entities, it is important to understand steps to take to avoid civil penalties, monetary settlements and formal corrective action plans. OCR or state attorneys general may knock on your door and it’s wise to be prepared.
In summary, this webinar assists you in sorting through the HITECH myths and understand what you are required to comply with today and not when the rules are final. It will also arm you with the tools you need to identify areas where action is needed to reasonably ensure compliance with both HIPAA and HITECH. Being prepared helps save time and money, especially if the regulators show up on your front steps.
Areas Covered in the Session: