Potential health IT investors must carefully assess the HIPAA compliance readiness of business associates, according to Tony Kong, director of the healthcare practice at West Monroe Partners management and technology consulting firm. Kong who recently talked to to HealthcareInfoSecurity about how the rule will impact healthcare investors, said that many companies involved in the sector started out small and didn't think initially about making compliance investments.
"A lot of these companies handle protected health information, but have not yet made the investment in people, processes or technology to ensure HIPAA compliance and reduce risk," Kong said.
For such entities, Kong recommended using a security consulting firm to conduct a risk assessment, then designating a compliance officer to conduct random audits. Kong also stressed that senior management needed to update board members on seats of private equity firms about HIPAA compliance.
Investors, he said, "should make it a priority for the senior management team to put the proper people, processes and technology in place.
"The status of HIPAA compliance should be reported back to the board annually or semiannually," he added.
In August, Mark Dill, director of information security for Cleveland Clinic, offered up five recommendations to prepare for a HIPAA audit. His main message: Be proactive.
"We're choosing to be proactive and have our documentation in a relatively ready state," Dill said. "We've heard stories of early audits where boxes of paper were thrown at a regulator, and that will just annoy [the U.S. Department of Health & Human Services], which pays a large percentage of the revenue of many hospitals and providers."
Shortly after the rule's reveal, several FierceHealthIT Editorial Advisory Board members noted that the execution would present a multitude of challenges.
Preparation won't be easy: Healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule, according to the HHS Office for Civil Rights. The bulk of that time--30.655 million hours--likely will involve the dissemination and acknowledgement of privacy practices at provider offices.
TO learn more:
- read the article in HealthcareInfoSecurity
Five recommendations to prepare for a HIPAA audit
Health privacy regs, metadata fuel heated debate
OCR: HIPAA mega rule in its 'last clearance lap'
Hospital use of data breach insurance increases as incidents multiply
Most not ready for HIPAA audits; data breaches abound