Ask the Expert

What's the best strategy to catch up on HIPAA compliance quickly?

Since HIPAA regulations have never been enforced (until recently), management has let our HIPAA compliance efforts fall woefully behind. What's the best place to start so that we can become compliant as quickly as possible?

    Requires Free Membership to View

There's a long road in front of you, but better late than never. The best place to start is with a mandate from the executive team declaring that HIPAA is now a priority. Without the support of management, your efforts will be an exercise in futility.

The essentials of any good compliance program can be broken down into the following broad categories: management support, knowledge, documentation, education and controls.

Assuming the compliance program has management support, the next step involves working with the various business units to identify what data falls under HIPAA regulations, who has access to it and what controls are in place to protect it. This is also a prime time to review the existing security and privacy policies.

Once a baseline is established, it's time to move into the documentation phase. Documentation is key, as it will enable you to cleanly communicate to upper management where any deficiencies lie in the existing data protection program and justify the necessary changes that will bring the company into compliance.

This brings us to education. For a compliance program to be successful, everyone involved needs to understand what the requirements are (policies, procedures, etc.) and why they are important, as well as the consequences of non-compliance. In the case of HIPAA, there is also a mandate to notify patients and customers of their rights, and employees need to understand that process as well.

The final category is controls. These are documented methods for ensuring that data stays where it is supposed to. While some of these will be technology oriented (firewalls, encryption, DLP, etc.), a good portion will also be process oriented (need to know, log reviews, manual audits, written permission for data sharing) and physical controls (locks, safes, document destruction).

Hopefully, once you've documented the company's current position and properly educated management about deficiencies, they will approve the necessary funding and changes so you can start working on the plan for remediation. Good luck!

More information:

This was first published in November 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: