HIPAA Regulatory Alert: News Briefs

Time needed to document security compliance

The U.S. Department of Health and Human Services (HHS) says that the nearly four million covered entities that must comply with the final HIPAA security rule will spend 64.5 million hours documenting their compliance efforts.

HHS included the estimate in publication of the final rule. It said covered entities will spend about 99% of the time — some 64 million hours — documenting organizational security policies and procedures, which will take each entity an average of 16 hours.

The remaining time will be spent this way — 75,000 covered entities will have to document an average of three times why it is not reasonable and appropriate to implement a requirement, a 15-minute task that will require an aggregate 56,250 hours; 60,000 covered entities must document a contingency plan to secure electronic protected health information during a disaster or other emergency, an eight-hour task worth a total of 480,000 hours; and 15,500 covered entities will have to repair or modify physical components such as walls, doors, and locks, to secure data. Each repair or modification will take 10 minutes to document for a total burden of 2,583 hours, according to HHS.

OCR pushes for voluntary compliance

U.S. Department of Health and Human Services Office of Civil Rights (OCR) director Richard Campanelli says that voluntary compliance with the HIPAA medical privacy rule is the best way to protect health information. He also told a HIPAA workshop that the federal government’s enforcement of the regulation will be largely complaint-driven.

Campanelli added that most complaints about violations of the HIPAA privacy rule can be resolved easily. "OCR’s goal is not to maximize enforcement," he said. "Our goal is to protect personal health information." Campanelli says he recommends that patients register complaints with their health care providers before turning to the government with privacy violations.

Help available for employers

The U.S. Department of Labor’s Employee Benefits Security Administration (EBSA) has started a HIPAA Compliance Assistance Program to help employers and other covered entities comply with new privacy regulations.

The program addresses many issues facing employers through nationwide compliance assistance workshops and a new section on the EBSA web site that has detailed compliance information. EBSA also will release several HIPAA compliance publications, including a self-audit checklist and tips for avoiding HIPAA pitfalls.

[Editor’s note: For more information, go to www.dol.gov/ebsa.]