Briefings on HIPAA

Editor's note: The following is adapted from the HCPro book The HIPAA Omnibus Rule: A Compliance Guide for Covered Entities and Business Associates, by Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, Mass. To learn more about the book, go to www.hcmarketplace.com.

There is some common ground in the corrective action plans (CAP) that OCR has imposed on healthcare organizations it has investigated for HIPAA privacy and security deficiencies.

The release of the HIPAA Omnibus Rule has left most HIPAA privacy and security officers with a long and likely overwhelming to-do list.

Who would have thought that buying gas with a credit card or wearing a pacemaker could leave a person's information exposed? Yet highly sophisticated credit card skimming devices at gas stations are stealing from ­consumers, and healthcare organizations are concerned about the potential for malicious tampering or the theft of PHI from wireless medical devices such as pacemakers. Hidden vulnerabilities lie in everyday activities like these, and some of those vulnerabilities can expose PHI and put healthcare organizations at risk.

The HIPAA omnibus rule provides greater protection for PHI by imposing more stringent requirements and limits on a covered entity's (CE) use and disclosure of that information when it comes to functions such as marketing, sales, and fundraising.

Sanctions are one side of the HIPAA coin. However, have you ever considered awarding commendations to workforce members who take steps to protect PHI?

A 2009 tragedy that occurred in a high school weight room is raising questions about patient privacy rights under HIPAA.