HIPAA-HITECH Compliance Success Formula
Just about everyone who knows me has probably heard me rail against “checklists” in the context of HIPAA-HITECH privacy and security rule compliance. Well, sort of. There are checklists, after all — they’re called the HIPAA Privacy Rule, HIPAA Security Rule and the HITECH Breach Notification Rule. This post may serve as a great starting point for your program or as a key part of your HIPAA Privacy and Security Reminders program.
On the other hand, while some may call it a high-level checklist, the Clearwater HIPAA Compliance 9-Step Action plan is a tried and true programmatic approach to becoming and remaining compliant. It is based on deep experience as custodians of the PHI of 40+ million Americans, work with 300+ organizations of all sizes and specific OCR/CMS/OIG audit and investigations in which we supported over twenty customers.
Based on our direct experience with the HIPAA-HITECH compliance enforcement actions, a thorough study of HHS/OCR Resolution Agreements and Corrective Action Plans and the OCR Audit Program Protocol, it is clear that a well-designed and balanced HIPAA-HITECH compliance program comprises the following key elements:
- Policies – Clearly written and well-communicated
- Procedures – Specific and documented
- People – engaged, trained and aware
- Safeguards – reasonable, appropriate and tested
Following is our Clearwater HIPAA-HITECH Compliance Success Formula:
- Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
- Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
- Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
- Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
- Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
- Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
- Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
- Complete Privacy Rule and Breach Notification Rule compliance assessments (45 CFR §164.500 and 45 CFR §164.400)
- Document and act upon a remediation plan
Each one of the above items is a “sub-program” of an overall HIPAA-HITECH compliance program. Each represents a fair amount of initial work and ongoing monitoring. Of course, it is very challenging to run your organization and complete all of these items. Our advice is simple: choose one or two and get to work. Demonstrate seriousness of intent and good faith effort.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017