Group items tagged

According to healthcare attorney Susan Miller, detailed evidence of HIPAA compliance and going beyond just the black letter HIPAA rules will be important factors when the Office for Civil Rights (OCR) makes its HIPAA audit rounds this fall. Miller said that OCR has been talking about evidence of compliance since 2009, when it first released the HIPAA Omnibus Rule Notice of Proposed Rule Making (NPRM). Evidence of compliance, in my view, goes beyond what the rule asks of an organization, such as where its policies and procedures are. This includes the Notice of Privacy Practices (NPPs), business associate agreements (BAAs), but they've also [made it clear] that organizations must have a breach plan. In no place in the regulation does it say that an organization has to have a breach plan or process. It does makes sense to have a breach plan to know what the organization will do when it has a breach event. I would suggest that organizations have a breach plan that they look at and update yearly. OCR will be looking for specific things in the plans, Miller said, including communication tactics within a breach plan. And Miller tells her clients that they need a detailed training plan, as well as the training materials and sign-in sheet or even some way to know when staff completes computer based training (CBT) modules, depending on how they do training. The important thing is knowing the training was completed. And organizations need something similar to a contingency plan, which is in the Security Rule but the larger organizations name as business continuity and disaster recovery plans. "Think of [the Boston Marathon bombings] - you need something that's going to help you continue to function during these events that are out of the control of the covered entity or business associate (BA)," Miller said.