While there have not been significant regulatory changes to HIPAA since 2013, that doesn't mean that compliance can be static. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued guidance in several areas, ranging from an individual's right of access to ransomware to visitor access to treatment areas.
Additionally, we have learned further information from OCR desk audits regarding the agency's expectations for documents such as the notice of privacy practices and a patient request for access form. While this guidance does not have the force of law, covered entities and business associates would be well served considering whether to change their policies and procedures accordingly.
In this presentation, attendees learned nine areas where policies, procedures, or compliance documentation are likely outdated if they have not kept up with various OCR guidance documents.
- OCR guidance on an individual's right of access to protected health information and related changes to policies, procedures, forms, and notices of privacy practices.
- OCR's guidance on ransomware and what it means to have a "disclosure" or a "compromise."
- OCR's guidance on cloud computing and what it means to your risk analysis.
- Guidance on business associates withholding covered entity access to protected health information.