Under OCR scrutiny? RSVPing with RSPs may help

Recent changes require policy edits, staff training 

Q. When is an RSVP, the French initialism meaning respond, please,” more than proper etiquette?

A. When the responder is a healthcare entity regulated under HIPAA Rules, and the response is going to the Office for Civil Rights (OCR) with evidence of 12 months of recognized security practices.

RSVPing with evidence of at least 12 months of RSPs may prove beneficial to healthcare organization when an audit, investigation or enforcement remedy by the OCR is involved, SimiTree compliance consultants say.

An RSP is the acronym the U.S. Department of Health and Human Services (HHS) uses for recognized security practices. When a healthcare organization provides evidence of having adequate RSPs in effect for the prior 12 months, the OCR is required by law to consider those RSPs as it levies enforcement remedies such as Civil Monetary Penalties (CMPs) for HIPAA violations.

There is currently no penalty if a healthcare organization cannot demonstrate 12 months of adequate RSPs, and the OCR is not allowed to consider the lack of RSPs in imposing any enforcement remedies.

But SimiTree consultants say that could change, as the OCR closed out a public comment period in June seeking input for future rulemaking and guidance.

No penalties at this time

“While it may be beneficial to an organization to be able to demonstrate RSPs, doing so is not mandatory at this time,” said Laurie Newlun, SimiTree Compliance Senior Manager.

Failure to show RSPs will not be considered an aggravating factor in any OCR investigations, according to recent training materials released by the OCR. There is no liability for an entity that has not adequately implemented RSPs, and OCR will not currently consider lack of RSPs when making determinations about compliance with the HIPAA Security Rule.

SimiTree compliance experts encourage providers lacking adequate RSPs to work now on improving compliance with any needed improvements.

Providers will also need to make certain they are complying with several recent changes to RSPs.

A structured review of the agency's current state related to HIPAA privacy and security assists the agency in evaluating areas of strength and areas of improvement.

“SimiTree can assist your organization by providing a HIPAA privacy and security assessment,” Newlun said.

RSPs changes require action

Recent changes will require agency action such as revisions to agency policies and procedures and some staff training as well.

In October, the OCR released updates to HIPAA privacy and security guidance and regulations. CMS also issued some important changes in the Final Rule for Home Health which was issued on Oct. 31.

Many of these changes center around improved access to medical records for patients, shortening the time frame for allowing patients access to records and granting patients the right to take notes or photograph PHI. Key staff members will need training in compliance.

One important change requires specialized training in language assistance to avoid discrimination against those who need language assistance. Additional updates relate to discrimination via telehealth, and sexual orientation or pregnancy termination discrimination.

“Just like updates to the OIG work plan, updates and clarifications to the HIPAA regulations may be updated as frequently as monthly,” Newlun said. “This means it is important for providers to stay abreast of changes, provide the necessary staff training, and make the necessary changes to agency policies and procedures.”

Getting the word out

The OCR enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule.

Although it may be better known among providers for investigating health information privacy and patient safety confidentiality complaints, the OCR also focuses on education.

Recent education efforts have focused on cybersecurity and safeguarding patient information with cybersecurity measures.

A video presentation on the OCR’s You Tube Channel highlights a 2021 amendment to the HITECH Act, which requires consideration of RSPs by the OCR when imposing enforcement or audits on a regulated entity. The video offers detailed explanations and links to learn more about adequate security practices.

The video presentation may be found on OCR’s YouTube channel here

SimiTree can help

SimiTree offers training to agencies in all aspects of compliance, including new security practices.

Experts also provide full compliance assessments to identify vulnerabilities and show organizations where and how to mitigate risk. Our compliance team is made up of industry experts with experience across the healthcare spectrum and extensive regulatory expertise. We work with organizations to establish more effective compliance processes and assist with all compliance needs.

Use the form below to reach out to us today so that we can get started making your organization stronger and healthier overall.

Contact Us

Let's work together to improve the health of your organization. At SimiTree, we balance financial expertise and clinical excellence to help our clients grow. How can we help you? Call us at 800.949.0388 or complete the form below.