HIPAA-HITECH Compliance Success Formula
Just about everyone who knows me has probably heard me rail against “checklists” in the context of HIPAA-HITECH privacy and security rule compliance. Well, sort of. There are checklists, after all — they’re called the HIPAA Privacy Rule, HIPAA Security Rule and the HITECH Breach Notification Rule. This post may serve as a great starting point for your program or as a key part of your HIPAA Privacy and Security Reminders program.
On the other hand, while some may call it a high-level checklist, the Clearwater HIPAA Compliance 9-Step Action plan is a tried and true programmatic approach to becoming and remaining compliant. It is based on deep experience as custodians of the PHI of 40+ million Americans, work with 300+ organizations of all sizes and specific OCR/CMS/OIG audit and investigations in which we supported over twenty customers.
Based on our direct experience with the HIPAA-HITECH compliance enforcement actions, a thorough study of HHS/OCR Resolution Agreements and Corrective Action Plans and the OCR Audit Program Protocol, it is clear that a well-designed and balanced HIPAA-HITECH compliance program comprises the following key elements:
- Policies – Clearly written and well-communicated
- Procedures – Specific and documented
- People – engaged, trained and aware
- Safeguards – reasonable, appropriate and tested
Following is our Clearwater HIPAA-HITECH Compliance Success Formula:
- Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1))
- Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316)
- Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5))
- Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A))
- Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8))
- Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8))
- Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b))
- Complete Privacy Rule and Breach Notification Rule compliance assessments (45 CFR §164.500 and 45 CFR §164.400)
- Document and act upon a remediation plan
Each one of the above items is a “sub-program” of an overall HIPAA-HITECH compliance program. Each represents a fair amount of initial work and ongoing monitoring. Of course, it is very challenging to run your organization and complete all of these items. Our advice is simple: choose one or two and get to work. Demonstrate seriousness of intent and good faith effort.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.