The essentials of any good compliance program can be broken down into the following broad categories: management...
support, knowledge, documentation, education and controls.
Assuming the compliance program has management support, the next step involves working with the various business units to identify what data falls under HIPAA regulations, who has access to it and what controls are in place to protect it. This is also a prime time to review the existing security and privacy policies.
Once a baseline is established, it's time to move into the documentation phase. Documentation is key, as it will enable you to cleanly communicate to upper management where any deficiencies lie in the existing data protection program and justify the necessary changes that will bring the company into compliance.
This brings us to education. For a compliance program to be successful, everyone involved needs to understand what the requirements are (policies, procedures, etc.) and why they are important, as well as the consequences of non-compliance. In the case of HIPAA, there is also a mandate to notify patients and customers of their rights, and employees need to understand that process as well.
The final category is controls. These are documented methods for ensuring that data stays where it is supposed to. While some of these will be technology oriented (firewalls, encryption, DLP, etc.), a good portion will also be process oriented (need to know, log reviews, manual audits, written permission for data sharing) and physical controls (locks, safes, document destruction).
Hopefully, once you've documented the company's current position and properly educated management about deficiencies, they will approve the necessary funding and changes so you can start working on the plan for remediation. Good luck!
Related Q&A from David Mortman, Contributor
While IT security consultancies can be helpful when trying to find flaws in an information security management framework, there are ways to do it ...continue reading
PCI DSS audits can be a lot easier if the scope is narrow. Learn how to consolidate and store sensitive data in order to best reduce PCI DSS security...continue reading
When hiring an information security team member, how important is a certification in information security? Learn how to talk to executives about ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.