Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

5 key steps of HIPAA compliance

220 views

Published on

The 5 Keys Steps of HIPAA Compliance form the Compliancy Group

Published in: Healthcare
  • Be the first to comment

  • Be the first to like this

5 key steps of HIPAA compliance

  1. 1. InarecentinterviewwithBeckersHospitalReview,OurCCOBobGranthighlightedwhatisneces- saryforhealthcareproviderstoachieve,illustrateandmaintainHIPAAcompliancein5easytoun- derstandsteps. 1.Perform a"true"riskanalysis.Tounderstandsystem vulnerabilities,healthcareprovidershavetodo aninternalriskanalysisorhireanoutsideauditortoperform ariskanalysisforthem.Toperform a "true"riskanalysis,theproviderhastobeabletosay"no,wedon'tcomplywithacertainpartofthe regulation,"saysMr.Grant.Althoughmanyhealthcareprovidersarehesitanttoadmittheyarenot HIPAAcompliant,honestlyansweringriskanalysisquestionsisnecessarytoascertainwhatasystem's weaknessesare,addsMr.Grant. 2.2.Havearemediationplan.Healthcareprovidersneedtousetheinformationfrom theriskanalysis todevelopaplantoresolveitsvulnerabilities,saysMr.Grant.Alongwiththeremediationplan,pro- vidersalsoneedtotrackthedocumentationthatshowsthenon-complianceissuewasfixed.There aretoolsavailablethathelpproviderstrackthedocumentation,andhealthcaresystemswithmulti- plefacilitiesshouldutilizethetoolstosimplifytheprocess,addsMr.Grant. 3.Havevendormanagementprotocols.Healthcareprovidersneedtohaveavalidbusinessassoci- ateagreementinplacewithallvendorstheyaresharingpatientinformationwith,saysMr.Grant. ProvidersshouldsendvendorsaHIPAAsecurityaudittoensurethevendorisincompliancewiththe HIPAAsecurityrule.Itisimportantforhealthcareproviderstoaddressallvendornon-compliance issuesbecause"ifyouactlikeanostrichandputyourheadinthesand,HHSwillcomedownonyou hard,"addsMr.Grant. 4.Updatedocuments.TheHIPAAomnibusrulerequireshealthcareproviderstohaveamanualcon- tainingcurrentpoliciesandproceduresaddressingeachpartoftheomnibusrule— suchasbusiness associateagreementmonitoringandsanctionstrategy.Providers'policiesandproceduresmustbe updated"periodically,"anditisgoodpracticetoupdatewithfederalgovernmentrulechangesor everytwoyears,saysMr.Grant."Youmaynothavetochangethemanualwhenit'sreviewed,but youatleasthavetoreviewthepoliciesandtrackthatyoudidbyatleastchangingtherevised date,"addsMr.Grant. 5.Haveanincidentmanagementplan."Everyonehasasecurityincident,it'sthenatureofhealth- care,andsecurityincidentscanhappenatanyorganization,"saysMr.Grant.Thehealthcareindus- tryreliesonphones,faxmachinesandotherelectronicdevicesthatareoftencompromisedand leadtodatabreaches.Asanincidentresponsemeasure,healthcareprovidersneedtokeepaccu- raterecords— suchasemployeeHIPAAtrainingdocumentsandauditlogs— todeterminewhatin- formationwascompromisedduringabreachandtobeabletotracktheincidenttotheresponsible party,addsMr.Grant. -BobGrant,CCOatCompliancyGroupandformerHIPAAauditor 5KeyStepsofHIPAACompliance

×