HIPAA Gerry Blass and Susan A. Miller, JD
IMAGINE TRYING TO COME UP WITH the top ten things our planet should do to decrease vulnerabilities and threats. Looking at earth from 30,000 feet can make that seem
easier to do. But if we zoom in to the details we could prob-
ably come up with hundreds of things to consider. The
same is true with health information privacy and security.
To come up with what we consider to be the top ten things
to do to pass an Office for Civil Rights (OCR) audits and
reduce risk of unauthorized access to your protected health
information (PHI), we had to zoom out and look at what we
have observed over the past several years from a very high
level. Our top ten things to do are not listed in any particular
order. Keep in mind that our top ten today will most likely
change very soon and at least year to year. Here they are:
The Top Ten Things
Should Be Doing
to Pass an Audit and
Reduce Risk of a Breach
1. Be a functional organization with
information privacy and security
(via mandates, oversight, change
management, resourcing, and
empowering the information
security officer or ISO).
Functional organizations have implemented
executive mandates for compliance and adequate budgets for both human and funding
resources. The authors have heard a well-respected Compliance Officer in New Jersey
state “The cost of compliance is potentially
much less than the cost of an incident such
as a breach.” All of us who have read about
the recent and ongoing breach incidents can
agree with that comment.
It is interesting that we are also starting to hear about and see ISOs reporting
outside of Information Technology (IT).
This makes sense because the ISO needs
to be able to audit the IT controls and give
an unbiased report to senior management.
Other areas to consider for the ISO to participate with or at least report to include
compliance, legal, audit, and risk.