|[September 27, 2013]
Cintas Issues 10 Tips to Help Comply with the HIPAA Omnibus Rule
CINCINNATI --(Business Wire)--
With a past-due compliance deadline of September 23, many organizations
are finding themselves scrambling to ensure compliance and avoid
penalties. The Health Insurance Portability and Accountability Act
(HIPAA) Omnibus Rule makes business associates accountable for any
misuse or failure to safeguard protected health information (PHI) and
increases liability for noncompliance. Cintas
Corporation (NASDAQ: CTAS) today released 10 tips to ensure
healthcare practices remain compliant under the new rule.
"With penalties under the Omnibus Rule reaching up to $1.5 million per
violation, it is crucial for organizations to put in place proper
internal controls to ensure they remain HIPAA compliant," said Karen
Carnahan, President and COO, Cintas Document Management. "Protecting
confidential patient information is critical to a healthcare
institution's success. In addition to HIPAA fines, healthcare providers
risk long-term damage to their reputation and brand."
To help achieve compliance under the Omnibus Rule, Cintas offers the
following 10 tips:
1. Retrain employees. It is important to retrain employees on the
updated policies and procedures addressing privacy, security and PHI
breaches as soon as possible.
2. Inventory vendors. The revised definition of "business
associate" now includes a business associate's subcontractors that
create, receive, maintain, or transmit PHI. Review all relevant
vendor relationships to determine if they are considered business
associates under the Omnibus Rule.
3. Update agreements. The Omnibus Rule modifies the content
requirements of business associate agreements. As a result, covered
entities and business associates will need to revise existing business
associate agreements. The Department of Health and Human Services(HHS)
has posted a sample version of a revised business associate agreement on
4. Update general privacy policies and procedures. Review and
revise internal policies and procedures, including HIPAA forms, to
ensure that they reflect the changes made to the HIPAA Privacy Rules.
The revisions should reflect changes to the definition of PHI and to the
rules governing patient access to records, disclosures to third parties,
research, marketing, fundraising and the sale of PHI, notifications to
persons involved in a patient's care and other rules governing decedents
5. Update breach policies and procedures. Ensure policies and
procedures are in place that allow you to determine if a breach occurred
and if notice is required.
6. Determine if notice is required for a breach. Under the
Omnibus Rule, if there is a breach, it is presumed that the covered
entity or business associate must give notice unless they can
demonstrate that there is a low probability PHI has been compromised, or
unless a regulatory exception applies. Consider the following factors
when determining the probability that PHI has been compromised:
a. The nature and extent of the PHI involved, including the types of
identifying information involved and whether the PHI is sensitive in
b. The characteristics of the unauthorized recipient of the PHI
c. Whether the PHI was actually acquired or viewed
d. The extent to which the risk to the PHI has been mitigated after the
e. Any other relevant factors
7. Review breach-notification procedures. Make sure that required
breach notifications are provided to the appropriate parties by the
covered entity (or the covered entity's business associate, if
applicable) in a timely manner.
8. Encrypt or destroy PHI. The Omnibus Rule provides only two
methods for securing PHI: encryption and destruction. The breach
notification requirements only apply to breaches of "unsecured" PHI or
information that is not secured by technology or methodology that
renders the PHI unreadable, unusable or indecipherable to unauthorized
9. Review your Security Rule gap analysis. Now is the ideal time
to review your HIPAA Security Rule gap analysis to ensure that it
considers the changes made by the Omnibus Rule.
10. Revise and redistribute privacy practices. Be sure to update
your HIPAA privacy notices to reflect the changes made by the Omnibus
To read the Final Rule in its entirety, visit www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
For more information about Cintas Document Management services, please
About Cintas Corporation:
Headquartered in Cincinnati, Cintas Corporation provides highly
specialized services to businesses of all types primarily throughout
North America. Cintas designs, manufactures and implements corporate
identity uniform programs, and provides entrance mats, restroom cleaning
and supplies, tile and carpet cleaning, promotional products, first aid,
safety, fire protection products and services and document management
services for more than 1 million businesses. Cintas is a publicly held
company traded over the Nasdaq Global Select Market under the symbol
CTAS and is a component of the Standard & Poor's 500 Index.
[ InfoTech Spotlight's Homepage ]