Wanda Hardy and Jeffrey Dunifon, both of the Office of Civil Rights Region 5, yesterday presented to the OACBDD Tech Alliance yesterday at the Delaware County Board facilities. The 1 day program was dedicated to HIPAA compliance. Among the many best-practices presented, they provided an overview of what elements they felt should be included in an effective HIPAA compliance program:
Employee training and review. Best practices for training include initial training for new employees as well as annual updates. Records of training for each employee must be kept. Training must be appropriate and effective.
Vigilant Implementation of Policies and Procedures. Hardy stressed that policies and procedures must be readily accessible to individuals. It is not acceptable to write the policy and put it onto the shelf. All of the processes detailed in the P&P documentation must be implemented. They conceded that this will require staff time and resources.
Regular Internal Audits. Covered entities (and business associates) should periodically audit their compliance with the regulations. They presented the OCR audit protocol (available at www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html) which could be used by covered entities as a tool for audits. This audit protocol covers the HIPAA Privacy, Security and Breach Notification rules.
Prompt Action Plan to Respond to Incidents. Incidents span the range of patient complaints, employee issues, security breaches and other compliance issues. Hardy stressed that prompt management action is essential. This is especially true for incidents such as large scale security breaches where rapid response may be important to mitigate possible damage.
Risk Analysis and Ongoing Risk Management. One of OCR’s mantras is the importance of a thorough and accurate computer security risk analysis is the essential starting point for Security Rule Compliance. With the risk analysis in hand, the covered entity must then effectively manage risks – either by implementing measures to reduce risk, transferring risk (via insurance or outsourcing) or, the organization can accept the risk and deal with the consequences if it occurs. Whether it is done as part of the risk analysis, or a separate on-going effort, OCR has also made it clear that an IT Asset Inventory, including knowledge of the location of all electronic PHI, is an essential control. One cannot protect PHI if one does not know where it is.
