5 key steps of HIPAA compliance

156 views
101 views

Published on

The 5 Keys Steps of HIPAA Compliance form the Compliancy Group

Published in: Healthcare
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
156
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

5 key steps of HIPAA compliance

  1. 1. InarecentinterviewwithBeckersHospitalReview,OurCCOBobGranthighlightedwhatisneces- saryforhealthcareproviderstoachieve,illustrateandmaintainHIPAAcompliancein5easytoun- derstandsteps. 1.Perform a"true"riskanalysis.Tounderstandsystem vulnerabilities,healthcareprovidershavetodo aninternalriskanalysisorhireanoutsideauditortoperform ariskanalysisforthem.Toperform a "true"riskanalysis,theproviderhastobeabletosay"no,wedon'tcomplywithacertainpartofthe regulation,"saysMr.Grant.Althoughmanyhealthcareprovidersarehesitanttoadmittheyarenot HIPAAcompliant,honestlyansweringriskanalysisquestionsisnecessarytoascertainwhatasystem's weaknessesare,addsMr.Grant. 2.2.Havearemediationplan.Healthcareprovidersneedtousetheinformationfrom theriskanalysis todevelopaplantoresolveitsvulnerabilities,saysMr.Grant.Alongwiththeremediationplan,pro- vidersalsoneedtotrackthedocumentationthatshowsthenon-complianceissuewasfixed.There aretoolsavailablethathelpproviderstrackthedocumentation,andhealthcaresystemswithmulti- plefacilitiesshouldutilizethetoolstosimplifytheprocess,addsMr.Grant. 3.Havevendormanagementprotocols.Healthcareprovidersneedtohaveavalidbusinessassoci- ateagreementinplacewithallvendorstheyaresharingpatientinformationwith,saysMr.Grant. ProvidersshouldsendvendorsaHIPAAsecurityaudittoensurethevendorisincompliancewiththe HIPAAsecurityrule.Itisimportantforhealthcareproviderstoaddressallvendornon-compliance issuesbecause"ifyouactlikeanostrichandputyourheadinthesand,HHSwillcomedownonyou hard,"addsMr.Grant. 4.Updatedocuments.TheHIPAAomnibusrulerequireshealthcareproviderstohaveamanualcon- tainingcurrentpoliciesandproceduresaddressingeachpartoftheomnibusrule— suchasbusiness associateagreementmonitoringandsanctionstrategy.Providers'policiesandproceduresmustbe updated"periodically,"anditisgoodpracticetoupdatewithfederalgovernmentrulechangesor everytwoyears,saysMr.Grant."Youmaynothavetochangethemanualwhenit'sreviewed,but youatleasthavetoreviewthepoliciesandtrackthatyoudidbyatleastchangingtherevised date,"addsMr.Grant. 5.Haveanincidentmanagementplan."Everyonehasasecurityincident,it'sthenatureofhealth- care,andsecurityincidentscanhappenatanyorganization,"saysMr.Grant.Thehealthcareindus- tryreliesonphones,faxmachinesandotherelectronicdevicesthatareoftencompromisedand leadtodatabreaches.Asanincidentresponsemeasure,healthcareprovidersneedtokeepaccu- raterecords— suchasemployeeHIPAAtrainingdocumentsandauditlogs— todeterminewhatin- formationwascompromisedduringabreachandtobeabletotracktheincidenttotheresponsible party,addsMr.Grant. -BobGrant,CCOatCompliancyGroupandformerHIPAAauditor 5KeyStepsofHIPAACompliance

×