In last month’s article, I discussed the inadequacy of answering ‘yes’ or ‘no’ to a checklist of HIPAA Privacy and Security requirements and assuming that simply finishing that task will provide your practice or company (if you are a BA) some level of PHI privacy and security protection. There is a serious disconnect in the industry between the need or desire to comply with one requirement of HIPAA, or HITECH Meaningful Use, and the need to implement a risk management program.
A comprehensive risk management program should assure compliance with all HIPAA/HITECH rules. If effectively implemented, a risk management program actually offers you a fighting chance to reduce your risk of improperly handling or securing a patient’s protected health information. Simply completing a risk assessment, without acting on the results, reduces none of your risk, including your risk of non-compliance with HIPAA or HITECH.
HIPAA security compliance means that covered entities and their business associates can demonstrate that they have well established business practices in place that are appropriate to their level of risk and complexity. The risk assessment is simply a stimulant to launch an honest examination of the maturity of your security risk management efforts and indicates where changes are needed. Having a program ‘in place’ means your policies and procedures are documented, the appropriate staff has been trained on them, and you have not only implemented the procedures as defined, but also have a process for monitoring their effectiveness.
The point of risk management for healthcare is to safeguard PHI. How many of the recommended security controls do you have documented and fully implemented in your business? If you have checked ‘no’ to a significant number of control requirements on whatever risk assessment instrument you are using, or have never completed a risk assessment, you probably do not have an ongoing risk management program in place.
A recent HHS press release (March, 28, 2014) announced that their free risk assessment checklist can be accomplished online at the participant’s own pace. It includes a summary report in case you need evidence of your assessment for an auditor. HHS is careful to point out that using their instrument does not guarantee compliance with the risk assessment requirement. Almost as an aside, HHS mentions this one significant fact:
“Your ‘yes’ or ‘no’ answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions.”
HHS, through the Office of Civil Rights, clearly intends to audit based on the corrective actions that you have taken, not on whether you have answered 156 questions. Very few healthcare entities will not have gaps in their programs. Can your checklist provide a prioritized blueprint for needed corrective action based on your vulnerability to gaps in your privacy and security controls?
Understanding and appreciating the value of investing in risk management is akin to understanding the value of investing in liability insurance. It is a cost of doing the business of healthcare that helps you maintain patient trust, secure your reputation, avoid financial ruin, and incidentally, demonstrate compliance with HIPAA/HITECH.
I highly recommend the videos provided by OIG Attorneys under their HEAT Provider Compliance Training Initiative. While mainly focused on reducing fraud and abuse, two videos in particular address fundamental pillars of any compliance program: Compliance Program Basics, and Tips for Implementing an Effective Compliance Program.
See http://oig.hhs.gov/newsroom/video/2011/heat_modules.asp
My next article will discuss how to use the risk assessment to formulate a risk remediation plan, as HHS says, to ‘take corrective action’. It’s the next move toward compliance.
Susan Pretnar is the President of KeySys Health, which works with medical practices to implement and manage a HIPAA Security Risk Management Program.