The essentials of any good compliance program can be broken down into the following broad categories: management support, knowledge, documentation, education and controls.
Assuming the compliance program has management support, the next step involves working with the various business units to identify what data falls under HIPAA regulations, who has access to it and what controls are in place to protect it. This is also a prime time to review the existing security and privacy policies.
Once a baseline is established, it's time to move into the documentation phase. Documentation is key, as it will enable you to cleanly communicate to upper management where any deficiencies lie in the existing data protection program and justify the necessary changes that will bring the company into compliance.
This brings us to education. For a compliance program to be successful, everyone involved needs to understand what the requirements are (policies, procedures, etc.) and why they are important, as well as the consequences of non-compliance. In the case of HIPAA, there is also a mandate to notify patients and customers of their rights, and employees need to understand that process as well.
The final category is controls. These are documented methods for ensuring that data stays where it is supposed to. While some of these will be technology oriented (firewalls, encryption, DLP, etc.), a good portion will also be process oriented (need to know, log reviews, manual audits, written permission for data sharing) and physical controls (locks, safes, document destruction).
Hopefully, once you've documented the company's current position and properly educated management about deficiencies, they will approve the necessary funding and changes so you can start working on the plan for remediation. Good luck!
This was first published in November 2008