Weitere ähnliche Inhalte
Mehr von Compliancy Group (20)
Kürzlich hochgeladen (20)
5 key steps of HIPAA compliance
- 1. InarecentinterviewwithBeckersHospitalReview,OurCCOBobGranthighlightedwhatisneces-
saryforhealthcareproviderstoachieve,illustrateandmaintainHIPAAcompliancein5easytoun-
derstandsteps.
1.Perform a"true"riskanalysis.Tounderstandsystem vulnerabilities,healthcareprovidershavetodo
aninternalriskanalysisorhireanoutsideauditortoperform ariskanalysisforthem.Toperform a
"true"riskanalysis,theproviderhastobeabletosay"no,wedon'tcomplywithacertainpartofthe
regulation,"saysMr.Grant.Althoughmanyhealthcareprovidersarehesitanttoadmittheyarenot
HIPAAcompliant,honestlyansweringriskanalysisquestionsisnecessarytoascertainwhatasystem's
weaknessesare,addsMr.Grant.
2.2.Havearemediationplan.Healthcareprovidersneedtousetheinformationfrom theriskanalysis
todevelopaplantoresolveitsvulnerabilities,saysMr.Grant.Alongwiththeremediationplan,pro-
vidersalsoneedtotrackthedocumentationthatshowsthenon-complianceissuewasfixed.There
aretoolsavailablethathelpproviderstrackthedocumentation,andhealthcaresystemswithmulti-
plefacilitiesshouldutilizethetoolstosimplifytheprocess,addsMr.Grant.
3.Havevendormanagementprotocols.Healthcareprovidersneedtohaveavalidbusinessassoci-
ateagreementinplacewithallvendorstheyaresharingpatientinformationwith,saysMr.Grant.
ProvidersshouldsendvendorsaHIPAAsecurityaudittoensurethevendorisincompliancewiththe
HIPAAsecurityrule.Itisimportantforhealthcareproviderstoaddressallvendornon-compliance
issuesbecause"ifyouactlikeanostrichandputyourheadinthesand,HHSwillcomedownonyou
hard,"addsMr.Grant.
4.Updatedocuments.TheHIPAAomnibusrulerequireshealthcareproviderstohaveamanualcon-
tainingcurrentpoliciesandproceduresaddressingeachpartoftheomnibusrule— suchasbusiness
associateagreementmonitoringandsanctionstrategy.Providers'policiesandproceduresmustbe
updated"periodically,"anditisgoodpracticetoupdatewithfederalgovernmentrulechangesor
everytwoyears,saysMr.Grant."Youmaynothavetochangethemanualwhenit'sreviewed,but
youatleasthavetoreviewthepoliciesandtrackthatyoudidbyatleastchangingtherevised
date,"addsMr.Grant.
5.Haveanincidentmanagementplan."Everyonehasasecurityincident,it'sthenatureofhealth-
care,andsecurityincidentscanhappenatanyorganization,"saysMr.Grant.Thehealthcareindus-
tryreliesonphones,faxmachinesandotherelectronicdevicesthatareoftencompromisedand
leadtodatabreaches.Asanincidentresponsemeasure,healthcareprovidersneedtokeepaccu-
raterecords— suchasemployeeHIPAAtrainingdocumentsandauditlogs— todeterminewhatin-
formationwascompromisedduringabreachandtobeabletotracktheincidenttotheresponsible
party,addsMr.Grant.
-BobGrant,CCOatCompliancyGroupandformerHIPAAauditor
5KeyStepsofHIPAACompliance