12 Steps to HIPAA Omnibus Compliance

At last week’s annual conference of the Medical Group Management Association (MGMA) in San Diego, strategies for achieving and maintaining compliance with the Omnibus Rule of the Health Insurance Portability and Accountability Act (HIPAA) were a hot topic. With implementation of new federal privacy and security requirements on September 23, HIPAA compliance issues dominated many discussions.

MGMA13 offered a number of useful presentations and excellent panel discussions geared to aid medical practices and healthcare providers in fine tuning implementation of HIPAA compliance requirements before regulatory auditing begins. Of particular note was a joint presentation by Robert Tennant and Amy Nordeng of MGMA Government Affairs and Massachusetts attorney Susan Miller who summarized new HIPAA Omnibus regulations with practical recommendations for implementation, as well as an analysis of the potential pitfalls physician and dental practices might run into.

Their 12 Steps to HIPAA Omnibus Compliance was summarized by Rajiv Levental on Healthcare Informatics:

1. Perform a thorough risk assessment of your information security practices.

2. Review current information security policies and procedures, paying particular attention to closing any existing gaps between old and new HIPAA regulations.

3. Identify all locations of protected health information, including information available to or accessed by subcontractors or third party providers such as your medical call answering service.

4. Determine what information must be encrypted and the extent of encryption required. For example, MedConnectUSA’s new HIPAA-compliant secure message app utilizes SSL/TLS encryption and sends messages directly to your phone, by-passing cell phone carriers’ text messaging service to eliminate possible message interception. 

To be continued next time