HIPAA Omnibus Rule - Increased PHI Security Requirements

Since the mandate for "meaningful use," healthcare organizations have struggled to comply with the numerous regulations surrounding patient information and keeping it secure.  The HIPAA Omnibus Rule is making things even more challenging, especially for those who work as subcontractors, consultants, and vendors for these organizations.  This new rule has increased accountability and compliance regulations for these groups, making organizations responsible for guaranteeing their compliance.  Previously vendors were only accountable to the terms outlined in in their "business associate agreement."
So, what exactly does this mean for an organization??

• They must ensure vendors understand responsibilities associated with patient data such as the requirements for how it's maintained and stored.
• Contracts must now be very detailed and clearly delineate responsibilities associated with PHI.
• System reporting capabilities must be robust and in compliance should an audit by Health and Human Services occur.

I believe protecting patient data should be top priority.  That being said, the number of requirements healthcare organizations have for vendors is mind boggling.  Between policies, vaccines, background checks and education, something may have to give.  Thankfully, it won't be patient privacy as the Omnibus rule is coming from the government where most other rules are coming from third party vendor management companies.  In some facilities, vendors are held to even higher standards than the full-time employees.

This rule became effective March 26, 2013, but organizations have until September, 2013 to comply.  Working as one of these vendors, I'm waiting to hear about the requirements my customers will have.  I'll let you know!

Article Referenced:

http://www.healthcareitnews.com/blog/new-omnibus-rule-how-will-it-impact-healthcare-it-vendors?page=1