Controls-based “checklists” and dubious certifications will not adequately protect a healthcare organization’s sensitive digital assets. What willwork is a formal Information Risk Management (IRM) program designed to grow more effective and mature over time.

Two documents from the Office for Civil Rights (OCR) reveal what the HIPAA regulatory arm of the federal government believes are appropriate for determining an organization’s level of compliance and information security as required by HIPAA: the Phase 2 Audit Protocol that covers all three HIPAA regulations and OCR’s Final Guidance on Risk Analysis, which is specific to the HIPAA Security Rule and information risk management.

You should consider this OCR guidance when looking for tools to determine your current level of compliance and information security. These directives can also serve as a prioritization plan for remediating weaknesses and a project management tool for tracking remediation progress. The ability to document improvement in IRM compliance over time provides the evidence regularly requested by OCR – and the lack thereof can result in increased fines and penalties.

Read the entire article at HIT Leaders and News.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.