Controls-based “checklists” and dubious certifications will not adequately protect a healthcare organization’s sensitive digital assets. What willwork is a formal Information Risk Management (IRM) program designed to grow more effective and mature over time.

Two documents from the Office for Civil Rights (OCR) reveal what the HIPAA regulatory arm of the federal government believes are appropriate for determining an organization’s level of compliance and information security as required by HIPAA: the Phase 2 Audit Protocol that covers all three HIPAA regulations and OCR’s Final Guidance on Risk Analysis, which is specific to the HIPAA Security Rule and information risk management.

You should consider this OCR guidance when looking for tools to determine your current level of compliance and information security. These directives can also serve as a prioritization plan for remediating weaknesses and a project management tool for tracking remediation progress. The ability to document improvement in IRM compliance over time provides the evidence regularly requested by OCR – and the lack thereof can result in increased fines and penalties.

Read the entire article at HIT Leaders and News.

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.