The goal is to create an ever-changing
culture of compliance that prepares organizations for government audits and reduces
the risks of adverse events such as a breach
of their PHI. A key component of oversight
is change management. The reason why
compliance activities must be done periodically is due to change, to regulations, administrative, physical, and technical risks and
vulnerabilities, and organizational factors,
such as M&A, policies and procedures,
new facilities, new technology, application
updates, and more.
We have included change management
as number one, but consider it to be part
of and a strong requirement for every item
on our list.
2. Documentation
The basic requirement for any compliance
program is documentation, including policies and procedures, risk assessments,
plans (e.g., disaster recovery plans, facility security plans, etc.), and other evidence
documentation that proves operational
compliance. The OCR will request documentation of both internal vulnerability
scanning and external penetration testing
during their audit.
All documentation should be reviewed
on a periodic basis, at least annually. Disaster recovery, business continuity, and procedures should be tested each year as well.
The tests should be both tabletop and actual controlled testing of offsite backup and
restore locations. Departmental downtime
procedures should be tabletop tested at
least annually, and there is normally actual downtime that results in actual testing.
Breach response plans should also undergo
tabletop testing.
Facility walk thru audits should be
documented while referencing the facility
security plan. Any gaps should be reviewed
and included in the risk mitigation plan.
Remember that the “acid test” for determining physical security issues is this: if you can
see or access PHI in an unauthorized manner (e.g., workstation monitor containing
PHI is in full public view), there is an issue to
be resolved before it turns into an incident.
Documentation is your first line of
defense when the OCR comes calling,
whether it is for an investigation or audit.
3. Risk Assessments (RA)
Risk assessments (RA) should be done at
least annually and always when a change
could result in a new vulnerability that
increases the risk of unauthorized access to
your PHI. As mentioned above, the change
could be administrative, physical, technical, or organizational. It could also be due
to a change in the regulations. RA is a general term but should include: A review of
the entire HIPAA security rule, technical
security testing (internal and external), an
administrative threat assessment, a PHI
vulnerability assessment, physical facility
walk thru audits, a cyber security assessment (can be part of the technical testing),
and random workforce interviews to gauge
their competency for high level HIPAA
knowledge, which is something that may
be done during a real OCR audit.
4. Risk Management (RM)
The authors have witnessed covered entities and business associates who outsource
a risk assessment and then make very little
progress or sometimes no progress in managing the identified risk. The good work
that was done during the assessment is no
longer evidence of due diligence, but rather,
possible evidence of willful neglect. This
is another reason for a strong oversight
committee that meets on a regular basis to
review progress with risk mitigation. And
it goes back to proper funding. Dedicated
resources and funding for risk management is the key to success. Risk should be
managed in tiers, focusing first on high
risk, then medium. Low risk should also
be reviewed to confirm that it is truly low,
and whether any mitigation is required.
RM must follow every RA activity, and the
results must be documented so that your
organization has evidence of due diligence
rather than willful neglect.
5. Yearly Compliance Audit
Since President Obama signed the American Recovery and Reinvestment Act
(ARRA) in 2009, the OCR has been out
saying at national meetings and on webi-nars that all covered entities must do a
EDITOR-IN-CHIEF
Mary Alice Annecharico, MS, RN, FHIMSS
VP, CONTENT & PRODUCT DEVELOPMENT
Gus Venditto
EDITORIAL REVIEW BOARD
Marion J. Ball, EdD, FHIMSS
Fellow, IBM Global Leadership Initiative
Center for Healthcare Management
Professor, Johns Hopkins School of Nursing
Eta S. Berner, EdD
Professor Health Services Administration
University of Alabama at Birmingham
Birmingham, AL
William F. Bria, MD
Chief Medical Information Officer
Shriners Hospital for Children
Tampa, FL
John P. Glaser, PhD, FHIMSS
CEO
Health Services Unit
Siemens
Malvern, PA
Margaret M. Hassett, MS, RN, C, FHIMSS
Director of Clinical Informatics
Berkshire Health Systems
Pittsfield, MA
James Langabeer II, FHIMSS
Associate Professor,
Management & Policy Sciences
The University of Texas School of Public Health
Houston, TX
Jim Langabeer, PhD, FHIMSS
CEO
Greater Houston Healthconnect
Associate Professor
Healthcare Management
University of Texas-Houston
Barbara Hoehn
CEO
Healthought Leaders, Inc
New York, NY
Sharon Klein
Partner
Corporate and Securities Practice Group
Pepper Hamilton LLP
New York, NY