Action steps for C-Suite
Though enforcement will not come until the fall, CEOs must know the changes will require actions that go beyond the simple checklist approach to compliance that has been par for the course over the past several years, Herold says.
"Those responsible for compliance must be able to implement, and maintain, controls that will fit the organizational environment, and that will be incorporated into every-day work activities," she adds.
Healthcare leaders, she says, should consider the following compliance action steps:
- Support more training, and significantly more ongoing awareness communications than most CEs and BAs currently are providing
- Encourage more oversight of BAs. This means better tracking of the BAs.
- Update the organization's breach-response plans. The rule eliminates the "harm threshold" provision, which allowed covered entities and business associates to avoid breach notification if they determined themselves a breach would not cause harm to an individual. HHS now calls for covered entities and BAs to assess the probability that the PHI has been compromised instead of assessing the risk of harm to the individual.
- Establish a way to monitor compliance and risks on an ongoing basis, along with metrics/statistics, to most quickly identify when problems areas with regard to security and privacy emerge
- Implement better PHI safeguards by CEs and all others (BAs and their subcontractors) which will lead to fewer breaches and also help to ensure more accurate PHI
- Assign a person/team responsibility for doing a gap analysis between current practices and the new requirements
- Identify all BAs and make sure they know the new requirements, and provide some type of evidence to demonstrate their compliance activities
- Plan to provide an awareness communication about the upcoming changes to personnel as soon as possible, and then plan a training session with all personnel sometime in the near term (e.g., within the next month or two; by the March 25 effective date would be ideal).
- Implement ongoing compliance monitoring actions, with associated metrics.