On August 19, 2009, The U.S. Department of Health and Human Services announced new regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These new regulations require that health care providers, business associates of the health care provider, and other entities included under HIPAA notify all affected individuals, the HHS Secretary and the media in cases of a breach where a breach affects more than 500 individuals. Breaches of fewer than 500 individuals will be reported to the HHS Secretary on an annual basis.
HHS plans to provide a guidance update in the same document as the regulations, specifying encryption and destruction as the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals and steps to help determine when information is considered unsecure and notification is required. So now the question is simply this, with these requirements and guidelines in place how will your organization position itself to initiate the assessment and notification processes?
In my view, organizations impacted by these new regulations will need to formalize these processes and assign individuals within the organization to establish these processes, training the workforce on their roles and responsibilities and be accountable to ensure these processes are carried out to their fullest extent. Systems and personnel must be aligned to implement notification to the patients, perhaps media relations interacts with the media and senior management issues the statement to HHS. In addition, a mechanism must be put in place, to manage inquiries and address issues related to such notifications. Once the processes are established you can also look to automate them using various technologies like BPM.
My point here is that this is no small change. It will require careful thought, analysis and planning. It will require change management to address the changes in the way people work. It will require legal guidance in relation to compliance and it will require continuous improvement activity for the purpose ongoing refinement and compliance management.
What say you? Are your processes ready to meet this new demand? Do you have a story to tell? I want to hear from you and learn what you and your organization are doing.
Looking to increase your level of knowledge? Join me for the BPM Certificate course in Chicago, IL from September 22-25. I look forward to seeing you there.
Looking to take a course online? There is still time to take advantage of AIIM’s Cash for Certificates program. To qualify, simply send your contact details and documentation of your current certifications and designations to cashforcertificates@aiim.org and AIIM will issue you a $250 voucher valid until August, 31, 2009, that you can use for any of the online certificate programs.
Bob Larrivee – AIIM
Follow me on twitter – BobLarrivee and remember to visit www.aiim.org/training and www.informationzen.org, AIIM’s free social network created just for you.
Posted by: |