In my final blog post for this HIPAA compliance audit series, I want to touch on a non-technical topic that will undoubtedly be crucial for any HIPAA-Covered Entity – the need for teamwork among the diverse individuals or departments responsible for ensuring compliance.
Today’s “traditional” audit teams must involve both technical and non-technical experts, and the HIPAA/HITECH regulations demand no less. In most cases, medical professionals, techies and even Business Associates must sit down together and examine the complete PHI (protected health information) trail within the organization and then hammer out numerous technical security decisions for each and every standard. That is no easy task.
So, if this process is staring you in the face, I recommend assembling a risk management team that contains members who are both knowledgeable about all the aspects HIPAA and HITECH and are capable of working together successfully. Hopefully, this is a somewhat easier task.
As with any major project, preparation for a HIPAA compliance audit can be broken down into challenging but feasible steps.
- Select a team leader. This person should have a good grasp of your health-care organization and be able to oversee and integrate compliance and IT issues.
- Set reasonable, attainable goals for the team. Where do you need to be with this project in three months, six months, a year? Everyone needs to be on the same page and working towards the same objectives.
- Map out the PHI trail. Keep your eyes fixed only on the processes and equipment that are directly involved in the required security risk analysis.
- Pinpoint the gaps. Where are your risks along the PHI trail? Where are things well under control? This will give your group further focus.
- Map out strategies that sync between compliance, IT and vendors. This is where diverse teams often experience the most conflict. It’s important to make sure compliance, IT and business vendors are pulling together toward the team’s goals. There are numerous, low-cost resources that can help with this process, including spreadsheets (the old standby), mind mapping programs, project management tools and more. You may even need more than one!
- Measure progress and tweak strategies, if necessary. You will need to see where things stand at regular intervals (no less than monthly) to ensure that you hit your security goals.
If you are getting ready to embark on this HIPAA-compliance process, I hope this blog series has been helpful to you. As with any government-mandated audit, you will encounter many complexities, but, by assembling a good risk management team, you can take your first steps toward compliance with confidence.
If, during your analysis, you determine that a new copier or printer would better protect PHI, contact us at our North Canton headquarters. We are a Business Associate you can trust.