Journal Of Healthcare Information Management

The goal is to create an ever-changing culture of compliance that prepares organizations for government audits and reduces the risks of adverse events such as a breach of their PHI. A key component of oversight is change management. The reason why compliance activities must be done periodically is due to change, to regulations, administrative, physical, and technical risks and vulnerabilities, and organizational factors, such as M&A, policies and procedures, new facilities, new technology, application updates, and more.

We have included change management as number one, but consider it to be part of and a strong requirement for every item on our list.

2. Documentation

The basic requirement for any compliance program is documentation, including policies and procedures, risk assessments, plans (e.g., disaster recovery plans, facility security plans, etc.), and other evidence documentation that proves operational compliance. The OCR will request documentation of both internal vulnerability scanning and external penetration testing during their audit.

All documentation should be reviewed on a periodic basis, at least annually. Disaster recovery, business continuity, and procedures should be tested each year as well. The tests should be both tabletop and actual controlled testing of offsite backup and restore locations. Departmental downtime procedures should be tabletop tested at least annually, and there is normally actual downtime that results in actual testing. Breach response plans should also undergo tabletop testing.

Facility walk thru audits should be documented while referencing the facility security plan. Any gaps should be reviewed and included in the risk mitigation plan. Remember that the “acid test” for determining physical security issues is this: if you can see or access PHI in an unauthorized manner (e.g., workstation monitor containing PHI is in full public view), there is an issue to be resolved before it turns into an incident.

Documentation is your first line of defense when the OCR comes calling,

whether it is for an investigation or audit.

3. Risk Assessments (RA)

Risk assessments (RA) should be done at least annually and always when a change could result in a new vulnerability that increases the risk of unauthorized access to your PHI. As mentioned above, the change could be administrative, physical, technical, or organizational. It could also be due to a change in the regulations. RA is a general term but should include: A review of the entire HIPAA security rule, technical security testing (internal and external), an administrative threat assessment, a PHI vulnerability assessment, physical facility walk thru audits, a cyber security assessment (can be part of the technical testing), and random workforce interviews to gauge their competency for high level HIPAA knowledge, which is something that may be done during a real OCR audit.

4. Risk Management (RM)

The authors have witnessed covered entities and business associates who outsource a risk assessment and then make very little progress or sometimes no progress in managing the identified risk. The good work that was done during the assessment is no longer evidence of due diligence, but rather, possible evidence of willful neglect. This is another reason for a strong oversight committee that meets on a regular basis to review progress with risk mitigation. And it goes back to proper funding. Dedicated resources and funding for risk management is the key to success. Risk should be managed in tiers, focusing first on high risk, then medium. Low risk should also be reviewed to confirm that it is truly low, and whether any mitigation is required. RM must follow every RA activity, and the results must be documented so that your organization has evidence of due diligence rather than willful neglect.

5. Yearly Compliance Audit

Since President Obama signed the American Recovery and Reinvestment Act (ARRA) in 2009, the OCR has been out saying at national meetings and on webi-nars that all covered entities must do a

EDITOR-IN-CHIEF

Mary Alice Annecharico, MS, RN, FHIMSS

VP, CONTENT & PRODUCT DEVELOPMENT

Gus Venditto

EDITORIAL REVIEW BOARD

Marion J. Ball, EdD, FHIMSS

Fellow, IBM Global Leadership Initiative Center for Healthcare Management Professor, Johns Hopkins School of Nursing

Eta S. Berner, EdD

Professor Health Services Administration University of Alabama at Birmingham Birmingham, AL

William F. Bria, MD

Chief Medical Information Officer Shriners Hospital for Children Tampa, FL

John P. Glaser, PhD, FHIMSS CEO Health Services Unit Siemens Malvern, PA

Margaret M. Hassett, MS, RN, C, FHIMSS Director of Clinical Informatics Berkshire Health Systems Pittsfield, MA

James Langabeer II, FHIMSS

Associate Professor, Management & Policy Sciences The University of Texas School of Public Health Houston, TX

Jim Langabeer, PhD, FHIMSS CEO Greater Houston Healthconnect Associate Professor Healthcare Management University of Texas-Houston

Barbara Hoehn

CEO Healthought Leaders, Inc New York, NY

Sharon Klein

Partner Corporate and Securities Practice Group Pepper Hamilton LLP New York, NY

Cover
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

one page

print

SlideShow

fullscreen

Click to subscribe to this magazine

Open Article

article text for page

< previous story | next story >

Share this page with a friend
Save to “My Stuff”
Subscribe to this magazine
Search
Help