This entry is part 26 of 26 in the series HIPAA Privacy-Security Reminders

HIPAA-HITECH Compliance Success Formula

HIPAA-HITECH Compliance Success Formula Just about everyone who knows me has probably heard me rail against “checklists” in the context of HIPAA-HITECH privacy and security rule compliance. Well, sort of. There are checklists, after all — they’re called the HIPAA Privacy Rule, HIPAA Security Rule and the HITECH Breach Notification Rule.  This post may serve as a great starting point for your program or as a key part of your HIPAA Privacy and Security Reminders program.

On the other hand, while some may call it a high-level checklist, the Clearwater HIPAA Compliance 9-Step Action plan is a tried and true programmatic approach to becoming and remaining compliant. It is based on deep experience as custodians of the PHI of 40+ million Americans, work with 300+ organizations of all sizes and specific OCR/CMS/OIG audit and investigations in which we supported over twenty customers.

Clearwater Compliance Compass copy

Based on our direct experience with the HIPAA-HITECH compliance enforcement actions, a thorough study of HHS/OCR Resolution Agreements and Corrective Action Plans and the OCR Audit Program Protocol, it is clear that a well-designed and balanced HIPAA-HITECH compliance program comprises the following key elements:

  • Policies – Clearly written and well-communicated
  • Procedures – Specific and documented
  • People – engaged, trained and aware
  • Safeguards – reasonable, appropriate and tested

Following is our Clearwater HIPAA-HITECH Compliance Success Formula:

  1. Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
  2. Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
  3. Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
  4. Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
  5. Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
  6. Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
  7. Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
  8. Complete Privacy Rule and Breach Notification Rule compliance assessments (45 CFR §164.500 and 45 CFR §164.400)
  9. Document and act upon a remediation plan

Each one of the above items is a “sub-program” of an overall HIPAA-HITECH compliance program.  Each represents a fair amount of initial work and ongoing monitoring.  Of course, it is very challenging to run your organization and complete all of these items.  Our advice is simple: choose one or two and get to work. Demonstrate seriousness of intent and good faith effort.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group:
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Privacy and Security Reminders – Is it Protected Health Information (PHI)?

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.