As I write this, we’re a few days away from the HIPAA omnibus final rule’s compliance date of September 23. Since its release in January, healthcare clients large and small want to have conversations about how the revisions to the HIPAA security rule affect them and their IT service providers. These organizations are showing a remarkable appetite to innovate using the latest in cloud technology, but also concerns over whether the cloud is secure enough to protect electronic patient health information (ePHI). And everyone wants to know - is my service provider compliant?
We don’t—and we won’t—know that for quite a while. As with any law, we won’t know how it will be interpreted until a case goes to court.
The Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) is promising another round of periodic compliance audits, but they have not announced when or to what degree the audits will happen. Compounding that uncertainty is the fact that even though September 23 is right around the corner, information derived from enforcement actions or periodic OCR audits likely won’t be available for another six to 12 months. Until audit results are shared or judgments handed down, we won’t know the level of “security” required to be compliant.
So as a healthcare organization what should you do in the meantime? Simple: don’t be content.
Security can always be improved, processes can always mature and procedures can always be better documented. Set reasonable and appropriate goals that go beyond implementing the bare compliance minimums, but rather look to improve ePHI safeguards. With this approach, your chances of putting in place the right level of safeguards is much more likely.