Help Prevent Breaches with HIPAA Compliance
Since every healthcare organization is affected by the passage of the HIPAA regulations, one would think that all should be working diligently on compliance. In addition, patient health information breaches are clearly out of control. Planning for HIPAA compliance is very similar to disaster planning – and breach is certainly a disaster. Yet there is little mention or urgency surrounding HIPAA compliance.
For instance, an organization that incurs a breach suffers significantly in terms of financial, public relations, and other functions that could result in disastrous outcomes for the organization. However, it appears that many organizations find it challenging to create a proper HIPAA security planning initiative. The benefits that come with complying with the current HIPAA Privacy Rule are beyond simply avoiding regulatory sanctions. The rule helps an organization avoid a disaster such as a breach.
Creating a best-practice security program addresses HIPAA compliance and can be used to build the foundation for future technology. Further, leveraging the tools and planning efforts of the organization’s disaster recovery plans and approach could also enhance the HIPAA compliance planning effort and identify areas where data may be compromised. Systems implemented today, such as computerized physician order entry, e-prescribing, picture archiving and communication systems, wireless data networks and electronic medical records, are very costly to secure post-implementation. When planning for new systems, many factors should be included in the requirements, such as a HIPAA-compliant security program. It helps organizations avoid expensive add-on security measures. HIPAA-compliant organizations can also reduce medical errors, increase patient satisfaction and trust, improve quality of care, and create operational efficiencies.
A five-step process
Using ISO (International Organization for Standardization) and National Institutes of Standards and Technology (NIST) standards, a five-step process to address and meet HIPAA security compliance can be accomplished. (Organization should always attempt to use ISO/NIST standards in developing these processes.)
The first step is to perform a formal risk assessment and gap analysis. The assessment helps guide the organization in decision-making and addresses required standards in the HIPAA security rule. A detailed assessment provides awareness of the organization’s assets and risks, and identifies controls to help manage those risks. This is similar to a business impact analysis when conducting either a disaster recovery or business continuity plan.
Next, the organization will be required to address compliance gaps which will result in a remediation plan. The plan should concentrate on the reasonable and appropriate people, process and technology requirements needed to attain and monitor compliance. This phase should be based on industry guidelines and frame the organization’s structure for ongoing security management, while complying with HIPAA security. A formal response and notification process is a key component, as it is in a business continuity/disaster recovery plan. Communication is critical to alerting and notifying key leadership, organizations and staff and to resolve interruption/breach.
Once the remediation plan has been accepted by the organization, implementation is next. Implementation includes process and technology changes needed to close identified gaps.
Once the gaps have been closed, the organization now turns to managing and testing the plan’s effectiveness. The objective is to keep gaps closed and develop contingency plans based upon the enhanced security infrastructure.
The final phase is to educate the organization to make the new changes part of the organization’s culture. Staff seems to be the weak link in an organization’s security, as it only takes one staff member to invalidate well-designed security controls. Ongoing security education and training should be provided for management, clinical, technical staff and the general user community. Training Business Associates should also be considered. It should be noted that the security plan is dynamic, and will need to be reviewed and monitored continuously. HIPAA compliance will help your organization’s privacy and security processes. Security planning can be synonymous with disaster planning and will reduce the likelihood of breaches.
One of critical tools used to protect patient health information is encryption. To find out more about encryption, such as what should be encrypted and how, see Hayes’ Shefali Mookencherry’s blog, The Time to Encrypt is now: HIPAA and Encryption.
Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.