Ask the legal expert ... about HIPAA enforcement
Attorney John Durso, Ungaretti & Harris LLP
HIPAA — so far seems like much ado about nothing. What's liable to trip us up when we're not looking (but otherwise running a tight ship)?
As evidenced by recent news, HIPAA enforcement is a priority of the Department of Health and Human Services this year. Skilled nursing facilities should first ensure that they have implemented the required HIPAA privacy, security and breach notification policies, and that these policies have been updated to comply with the HIPAA regulations from January 2013.
The facility should provide training in orientation and annually, noting policy changes. The SNF should document the content of the training and attendees, such as through a sign-in sheet.
An important element to HIPAA compliance is the facility's security risk assessment, designed to review the safeguards in place to protect residents' health information. The facility should periodically update this assessment, and likewise update the risk management activities that respond to risks and vulnerabilities. For example, if the assessment identifies a concern with the electronic transmission of protected health information through email, or risks to protected health information stored on mobile devices, the facility may consider mandating email only through an encrypted system, including encrypted laptops.
Finally, a facility should ensure that it executes business associate agreements (BAAs) with vendors that will receive or have access to protected health information (unless a HIPAA exception applies). BAAs executed on or after Jan. 25, 2013, must include updated language mandated by the 2013 HIPAA regulations; BAAs executed prior to that date have been “grandfathered” and need to be updated prior to Sept. 22.