With only two weeks to go before organizations must meet HIPAA compliance under the omnibus rule published in January, questions about liability--who's responsible and for what--are becoming increasingly frequent, according to Kathy Kudner, a healthcare attorney with law firm Dykem Gossett.
Kudner, in an interview with HealthITSecurity.com, said that while larger hospitals seem to be on the right track, that's not necessarily the case for smaller organizations such as physician groups, nursing homes and home health organizations.
Non-healthcare organizations, too, have a lot of worry, according to Kudner, including banks and non-healthcare insurance companies with license disability programs.
"Originally in HIPAA, banks were not subject to the rules because they were referred to as conduits like the Post Office," she said. "But now banks [are] processing claims and getting access within the bank to PHI, so banks are struggling."
Kudner, in part 2 of the interview, expressed concern that some entities, despite having having documents and policies in place, might not be as diligent about having security in place, as well, citing potential cost issues.
"For example, if you're a home health agency and all of your nurses have a mobile device, it's really hard to protect against theft and loss," Kudner said. "The more we use mobile devices and cloud-based technology, there are going to be more breaches."
The U.S. Department of Health & Human Services estimates that healthcare organizations will spend close to 33 million hours complying with the modified rule, with majority of that time to involve the dissemination and acknowledgement of privacy practices at provider offices.