By: Susan Pretnar, President at Keysys Health
In previous posts, I mentioned that simply accomplishing a one-time assessment and analyzing your risks at a single point in time does not a risk management program make. By developing a plan of action to correct the gaps identified in your risk assessment, you stand a greater chance of actually implementing required policies, procedures and plans that resolve the ‘holes’ in your risk management program. Revising and maintaining a documented risk remediation plan is a basic tenet of an ongoing risk management program, as well as a requirement of HIPAA.
A risk remediation plan is a roadmap for getting unresolved privacy and security requirements implemented in your practice or company, and another step toward HIPAA compliance. Just like the abundance of assessment techniques, there are myriad ways to develop a plan of action. But, it is important to have your plan documented. Don’t ignore the need to plan a budget for some of the changes that will be needed, especially if there are technology weaknesses that should be addressed. It is highly recommended that you use some basic project management techniques to keep your plan moving forward: document agendas and minutes, schedule routine status meetings, create an issues log, assign a specific project manager for each remediation project.
Develop a remediation plan by identifying the highest rated risks from your assessment. If your assessment instrument did not provide some type of rating system to allow you to prioritize your risks (gaps) it will be necessary to devise a system to do so, regardless of how simplified. The HHS/OCR web site provides a discussion of how to think about vulnerabilities, threats and risks:
The goal is to identify the privacy or security gaps that pose the greatest threat to your company and attempt to resolve them first. For instance, if your clinicians are using mobile devices to acquire PHI, and you have no policy or procedures to assure secure access to PHI data using mobile technologies like smartphones and tablets, that weakness will pose a very high priority gap for your organization.
The basic elements of any plan require that you identify the actions needed to accomplish project tasks, ie. define and document a policy, develop and document procedures, develop an implementation schedule, develop and deliver a training plan, etc.. The remediation plan should indicate the specific individual who is assigned responsibility for each task, and include an estimate of the time it will take to accomplish the task, so that progress can be measured. Regardless of size, most companies must also budget for projects like IT system penetration testing or vulnerability scans.
Plans of action are only temporarily static. Technology changes rapidly, practices expand or relocate, and hundreds of other changes impact the scope of risks to your practice. For this reason, the HIPAA Rule requires routine reexamination of your organization, which invariably leads to a revision of your risk remediation plan. Your risk remediation plan is one of the cogs in the wheel of an ongoing risk management program.