2013 was a rather happening year in terms of healthcare laws. There was the Affordable Care Act and its security concerns, the HIPAA Omnibus final rule and the HIPAA Audit Program which gave healthcare providers plenty to worry about.

2014 is going to be no different. There will be plenty of regulation changes that the industry will have to face. According to a recent poll conducted with the compliance, privacy and information security officers of various healthcare organizations, compliance issues and resources are going to be some of the biggest concerns in 2014.

The unanimous opinion of the respondents was that 2014 is going to be tougher. A respondent said that existing regulations will be expanded and revised to an extent where they will become “impossible to follow”. Another respondent was of the opinion that there will be more work, higher expectations and no additional staff. Almost everyone agreed that privacy concerns will continue to become more and more important.

Some of the common demands from the respondents were:

• Time to be more proactive and more time to focus on education, monitoring and overall bolstering of the privacy program.
• Someone to develop privacy training; be the first contact for questions and to assist in the review and investigation of complaints.
• Internal auditors and a person dedicated to oversee the activities of sub-contractors
• Full-time compliance liaison staff at all sites throughout the States.

Having said that, 2014 is going to be a challenging year for HIPAA-covered entities and their business associates. But here are a few well thought-out strategies which will ensure that your road to 2014 compliance stays smooth.

Conduct a HIPAA compliance assessment

This assessment will evaluate your current level of compliance, regulatory commitments and any shortcomings with regards to HIPAA privacy, security and breach notification rules. It should give you an idea of where you are lacking in terms of compliance and  PHI security flaws, and how to overcome the identified risks, if any. As a generally accepted industry standard, a HIPAA compliance assessment should be done bi-annually to monitor changes and see progress against previous assessments.

Develop an Incident Response Plan (IRP)

You should have a ready-to-execute Incident Response Plan (IRP) which will substantiate your organization’s readiness in case there is a data breach. Ideally, the plan should contain:

• Roles and responsibilities of the Incident Response Team.
• The team’s incident risk assessment in determining whether the PHI-related incident is a data breach.
• Your organization’s policy for managing a data breach.
• Relevant regulations for responding to a data breach, including notification requirements.
• Guidelines for mitigating any data breach — discovery, investigation and response.

Implement an incident risk assessment methodology

Implement decision support software to help your organization comply with HIPAA/HITECH’s revised standards and state regulated data breach guidelines. This should be conducted because every privacy and security incident is unique and requires consistent incident risk assessment, including the rules mentioned in the HIPAA Omnibus Rule. Such assessments, whenever performed, must be documented and used if notification is required. These will help your incident response teams execute a timely response, thereby protecting patients, business partners and compliance authorities.

2014 is going to be a year full of new complexities but you can’t do everything. However, you can try to do your best but only if you stick to the basics.