Here’s the official 10th tip to help you comply with today’s Omnibus Rule deadline. However, since I had to make TIP TWO into TIPs TWO through SEVEN when I realized my time had was running out, I will continue to blog a few more tips over the coming weeks. I expect that at least a few of this blog’s readers will continue to move toward Omnibus Rule compliance for months to come, so I will continue to post tips that might be useful (and may help you implement TIP TEN).
TIP TEN:
Make HIPAA compliance an ongoing, living process so as to decrease the risk of Civil Monetary Penalties (CMPs) for “willful neglect”.
The Omnibus Rule adopts many of the enforcement provisions set forth in the Notice of Proposed Rulemaking (NPRM) published on July 14, 2010, but there are a few modifications that show that ongoing compliance efforts (or the lack thereof) can make an important difference in HHS’ penalty determinations.
For example, at 45 CFR 160.408, “Factors considered in determining the amount of a civil monetary penalty”, HHS modifies the language used to describe “mitigating” and “aggravating” factors in imposing a CMP. Rather than looking at “prior violations” of HIPAA, HHS will look at “previous indications of noncompliance”. HHS will no longer consider whether the “violation was intentional” and/or whether it was “beyond the direct control of the covered entity”, but will consider the number of individuals affected. In addition, the Omnibus Rule provides (at 45 CFR 160.306 and 308) that HHS will investigate complaints and conduct reviews “when a preliminary review of the facts indicates a possible violation due to willful neglect.”
So TIP TEN is keep working toward HIPAA compliance, even as compliance deadlines pass, and even when you feel you’ve updated your contracts, notices, authorizations, and policies and procedures. Regularly check for HHS, OCR, and ONC guidance and honestly and regularly look for compliance shortfalls, correcting them within 30 days whenever possible.