The Office for Civil Rights (OCR) has stepped up its efforts to provide practical guidance around HIPAA for the industry in its new blog series, “The Real HIPAA” and supporting fact sheets on the topics addressed in the blog. Healthcare has been starving for this kind of guidance since the HIPAA Rules were finalized. This guidance is important for a number of reasons.
For example, the “reasonableness” language in the Security Rule has always left a lot to interpretation leading to highly variable levels of security program performance from organization to organization. At a time when information sharing is most critical, the variance in program performance creates challenges for Covered Entities and Business Associates alike to collaborate within a common paradigm of trust that is based on a shared view of risk and controls. OCR’s comments and guidance re: interoperability, uses and disclosures of PHI, care coordination/care management and quality assessment/improvement provide tactical guidance and clarify the behaviors, processes and mindset that organizations should adopt.
This guidance is also important because it provides insight into how the OCR will enforce HIPAA, both in its reactive investigations and proactive audits. Organizations should review this information within their risk management committees and compliance teams to understand if there are opportunities to refine or document new policies and procedures to better align with OCR’s guidance.
Finally, organizations that are in the process of, or planning at IT Security Risk Assessment or Privacy Program Review should bring this new guidance into their process. Organizations that that pay attention to the OCR’s publications and considering how to apply the guidance in practice, in real-time, demonstrate “intent” to comply and foster the “culture of compliance” that OCR emphasizes.
The link to the blog series can be found here: https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/interoperability-electronic-health-and-medical-records/the-real-hipaa-supports-interoperability/