Are you ready to board the Omnibus?

One month from today (Sept 23rd) you will have to be able to demonstrate that you are in compliance with HIPAA as amended by ARRA/HITECH.

Will you be able to prove compliance with, most notably, 45 CFR 164.308(a) et seq for protection of ePHI? Implementation of things like

• Administrative safeguards;
• Technical safeguards;
• Physical safeguards;
• Written coherent and comprehensive policies and procedures;
• Staff HIPAA training records;
• Publication and dissemination of revised patient privacy practices;
• Breach notification procedure;
• Patient ePHI data request procedure;
• Omnibus-compliant Business Associates Agreements (BAA).

And so on. Buying some E-Z boilerplate stuff from a HIPAA huckster vendor isn't going to cut it. Buying their E-Z No-Problem one-day online assessment questionnaire service isn't going to cut it. Assurances from some EHR vendor that "We've Covered This One For You" isn't going to cut it.

Maybe you're banking on not getting audited, at least until after you've had time to cobble this annoying stuff together post hoc.

Maybe. Maybe not. post hoc isn't going to cut it. That would be fraud.

HIPAA Hunting Season is about to commence in earnest. I wrote a prior HIPAA post in May of 2012, btw.
___

More to come...