Closing HIPAA compliance gaps: Getting your policies in order

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/blog/closing-hipaa-compliance-gaps-getting-your-policies-order

While every healthcare organization is aware of the need to comply with the
Health Insurance Portability and Accountability Act (HIPAA),
many--especially smaller entities such as physician practices--don't have
all the policies and procedures in place to adequately meet the
requirements and preserve the privacy and security of patient health
information.

One reason for this is that the scope of what's necessary is so broad.
Believe it or not, there are 52 possible policies that organizations may
need in order to comply with HIPAA. To determine which ones are required,
an organization must perform a comprehensive risk assessment and gap
analysis. Based on the results, a facility can then craft the appropriate
policies, addressing all the relevant details that the regulations demand.
Although organizations can find standard policies online, these may not be
sufficient, especially for specialty practices with unique requirements.

As discussed in part 1 of this series, most organizations do not have the
necessary bandwidth to develop and maintain complete policies. This lack of
time and resources leaves many entities at risk, but there are strategies
to deal with this and prioritize compliance.

Small Oversights Can Lead to Big Problems

Giving less than full attention to HIPAA compliance is a risky proposition.
Although organizations may not truly understand the scope of HIPAA
regulation and how to address it, the consequences of a breach are rarely
minor, and a facility will soon discover the ramifications of a HIPAA
policy deficit.

Consider a practice that receives a call from one of its patients who has a
neighbor working in the office. The patient is concerned that the neighbor
might have access to the patient's medical record and wants to know what
the practices' policy is for preserving the privacy of patient health
information. The practice only has a short HIPAA form--one that was written
several years ago. The patient begins to question whether her information
is in fact secure and files a complaint with the Department of Public
Health. The situation quickly escalates, and all of a sudden the practice
is facing a six-figure fine and a potential lawsuit, which it likely cannot
afford.

Examples like this one are not as rare as some might think. It only takes
one patient who is concerned about his or her rights, and an organization
may be confronting dire consequences.

Taking Steps to Mitigate Risk

Ensuring a practice has the right HIPAA policies in place may seem
daunting, however there are several concrete ways organizations can realize
better compliance, starting with proper risk assessments and policy
documentation. Here are a few tactics to consider when broaching those
strategies.

Seek expert resources. Commonly, it's not realistic for small to mid-sized
practices to have a dedicated HIPAA expert on staff. Practices often have
limited resources that are focused on other priorities, and finding an
individual who is proficient in HIPAA can be difficult. To lay the
groundwork for reliable compliance, organizations should look for expertise
outside the practice's four walls. This may entail outsourcing HIPAA
compliance efforts or hiring a consultant or compliance lawyer to advise
practice staff. There are also many available software options to guide
people through detailed risk analyses and policy creation.

Conduct a gap analysis. The only way to know whether your organization is
in compliance is to conduct a risk assessment or gap analysis. This will
involve an in-depth review of current policies, visual observations of
existing operations and conversations with staff members about how they
maintain patient health information security. As part of this exercise, an
organization may want to use a scoring mechanism to quantify potential
shortfalls and pinpoint areas of focus. Again, leveraging the skills of an
outside resource can be valuable.

Customize policies. Once an organization determines what policies are
required through its gap analysis, it can consult the internet, software
vendors or outside resources to find a starting point for policy
development. It is important to note, however, that facilities should
customize the policies to address their specific risks and needs, as well
as document them for the practice. Specialty practices in particular cannot
just adopt policies that are meant for primary care providers or hospitals.
Customization is the best way to make sure that a practice is addressing
its particular HIPAA policy needs.

Set up reminders. Once these three steps are completed, providers should
not let their HIPAA compliance go stagnant. Instead, practices should
review their policies and risk assessments at least annually, if not more
frequently. Not only is this required, but it is also wise given how
quickly things are changing in healthcare. To keep track of this activity,
an organization may wish to set up a tickler file or some other reminder
method.

Underpinning any good HIPAA compliance effort are strong policies and
regular risk assessments. Organizations that commit to this work can ensure
they preserve the privacy and security of patient health information and
avoid the unpleasant situations that could result from a lack of attention
and documentation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!