Continuing the Discussion: Moving Toward HIPAA Compliance

By: Susan Pretnar, President KeySys Health, LLC.

  Previously, I discussed the inadequacy of answering ‘yes’ or ‘no’ to a checklist of HIPAA Privacy and Security requirements and assuming that simply finishing that task will provide your practice or company (if you are a BA) some level of PHI privacy and security protection. There is a serious disconnect in the industry between the need or desire to comply with one requirement of HIPAA, or HITECH Meaningful Use, and the need to implement a risk management program. A comprehensive risk management program should assure compliance with all HIPAA/HITECH rules. If effectively implemented, a risk management program actually offers you a fighting chance to reduce your risk of improperly handling or securing a patient’s protected health information. Simply completing a risk assessment, without acting on the results, reduces none of your risk, including your risk of non-compliance with HIPAA or HITECH.

HIPAA security compliance means that covered entities and their business associates can demonstrate that they have well established business practices in place that are appropriate to their level of risk and complexity. The risk assessment is simply a stimulant to launch an honest examination of the maturity of your security risk management efforts and indicates where changes are needed. Having a program ‘in place’ means your policies and procedures are documented, the appropriate staff has been trained on them, and you have not only implemented the procedures as defined, but also have a process for monitoring their effectiveness.

The point of risk management for healthcare is to safeguard PHI. How many of the recommended security controls do you have documented and fully implemented in your business? If you have checked ‘no’ to a significant number of control requirements on whatever risk assessment instrument you are using, or have never completed a risk assessment, you probably do not have an ongoing risk management program in place.

A recent HHS press release (March, 28, 2014) announced that their free risk assessment checklist can be accomplished online at the participant’s own pace. It includes a summary report in case you need evidence of your assessment for an auditor. HHS is careful to point out that using their instrument does not guarantee compliance with the risk assessment requirement. Almost as an aside, HHS mentions this one significant fact:

  “Your “yes” or “no” answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions.”

HHS, through the Office of Civil Rights, clearly intends to audit based on the corrective actions that you have taken, not on whether you have answered 156 questions. Very few healthcare entities will not have gaps in their programs. Can your checklist provide a prioritized blueprint for needed corrective action based on your vulnerability to gaps in your privacy and security controls?

Understanding and appreciating the value of investing in risk management is akin to understanding the value of investing in liability insurance. It is a cost of doing the business of healthcare that helps you maintain patient trust, secure your reputation, avoid financial ruin, and incidentally, demonstrate compliance with HIPAA/HITECH.

I highly recommend the videos provided by OIG Attorneys under their HEAT Provider Compliance Training Initiative. While mainly focused on reducing fraud and abuse, two videos in particular address fundamental pillars of any compliance program: Compliance Program Basics, and Tips for Implementing an Effective Compliance Program.

  See http://oig.hhs.gov/newsroom/video/2011/heat_modules.asp

My next posting will discuss how to use the risk assessment to formulate a risk remediation plan, as HHS says, to ‘take corrective action’. It’s the next move toward compliance.



bio: Susan Pretnar, President KeySys Health, LLC. More than 30 years experience in the health care industry includes extensive development work in Information Systems, as well as executive management responsibilities for multiple large business operations. Ms. Pretnar’s knowledge of electronic medical record applications and responsibility for a major electronic clinical data repository and network required understanding both state of the art software solutions and multiple telecommunications protocols. Ms. Pretnar applies her knowledge of the health care industry, and extensive project planning and system implementation experience to create innovative, simplified and cost effective risk management solutions that accelerate an organization’s ability to protect its data and infrastructure, reduce risk and be compliant with security and privacy regulations. KeySys Health, LLC. provides the people, processes, and technology needed for all phases of the risk management program development lifecycle. Our mission is to provide a blueprint for a covered entity to implement and efficiently manage a HIPAA Security Risk Management Program.