The 2016 Phase 2 HIPAA Audit Program is in high gear with its focus on reviewing covered entity and business associate efforts to meet the standards and implementation specifications of the Privacy, Security and Breach Notification Rules.

These Office of Civil Rights enforcement actions are resulting in greater scrutiny on how healthcare organizations maintain compliance with HIPAA. But it’s not just about HIPAA—many healthcare organizations still lack a coordinated strategy for identifying and addressing all the regulations and standards that apply such as state data breach notification laws, Payment Card Industry Data Security Standard or Federal Rules of Civil Procedure and translating these mandates into corporate policies, procedures and overall compliance.

Healthcare organizations are under increasing pressure to establish an effective compliance program. Since compliance is an essential element of every healthcare business model, it’s imperative to have a cross-organizational compliance program in place that establishes a coordinated effort across departmental boundaries.

This will improve the audit posture and ability to analyze risk as well as more effectively support the organization’s strategy for ensuring compliance, and how regulations and standards are translated into corresponding policy, procedure, technologies and processes.

Compliance accuracy is important because of the potential high costs associated with possible fines, penalties and lawsuits due to negligence or misinterpreting requirements as well as a greater likelihood for the confidentiality, integrity and availability of information to be compromised.

Developing a cross-organizational compliance program formally assigns the accountability and responsibility for proactively identifying and complying with regulations and standards that apply to the organization.

This program should be responsible for regulations and standards that are applicable to the organization, identifying those individuals and business units that need to be involved or informed and identifying the information security-related provisions that should be addressed to be compliant. Extending the compliance program to integrate with the information security program also improves the ability of complying with applicable regulations and standards.

Slideshow
6 steps to surviving a HIPAA audit
The HHS Office for Civil Rights this year will conduct audits of HIPAA covered entities and business associates to assess organizations’ compliance with the privacy, security and breach notification rules. This includes about 200 desk audits and 24 more comprehensive on-site visits, according to Hayes Management Consulting. But there are ways providers can properly prepare, according to Hayes Management.

In terms of the characteristics of an effective cross-organizational compliance program, five primary areas should be addressed:

  • Organizational alignment
  • Training
  • Communication
  • Research and review
  • Governance, risk management and compliance oversight

In today’s article, I’ll address the first three topics. Tomorrow, my column will handle the characteristics of research and review, and then governance, risk management and compliance oversight.

Organizational Alignment
An organization’s board of directors and senior management should formally adopt a written compliance program and be involved as part of the compliance management and oversight process.

The board of directors and senior management should identify who is responsible for compliance oversight and adopt ways to carry out this function and to review and suggest improvements to it. This should take the form of a compliance officer. The compliance officer should have reasonable access to the board of directors and senior management.

The compliance program should focus on legal compliance of all applicable regulations and standards and the legal requirements of operating the organization. To achieve this goal, compliance officers should prepare or participate in drafting policies and procedures covering all applicable regulations and standards or review current policies and procedures to assure they adequately address compliance requirements.

A compliance committee should be in place and include representatives from areas primarily impacted by or charged with ensuring compliance with regulations and standards. This provides the collective leadership, direction and momentum to implement and maintain a successful compliance program. It also supports the definition and review of metrics to gain insight into the adequacy of the overall compliance status and efforts.

Participation should include, at a minimum, the compliance officer, legal, information security and privacy.

Training
Compliance training programs ensure that every user is aware of the organization’s compliance program; the applicable regulations and standards; the conduct users are expected to follow; and the consequences to the user and organization for failing to follow such requirements.

Slideshow
Surviving a HIPAA Privacy/Security Audit
The HHS Office for Civil Rights expects in 2015 to begin a random audit program to assess compliance with the HIPAA privacy, security and breach notification rules. At the MGMA Conference, David Holtzman, a former senior advisor at OCR and now vice president of compliance services at security firm CynergisTek, walked through what providers selected for an audit can expect.

The organization should require participation in training programs as a method for communicating compliance issues effectively. The compliance officer and senior management should determine who should receive the compliance training, so that the cost, scope and other issues of compliance training are addressed.

Generally, all users whose function or responsibilities involve compliance with regulations or standards applicable to the operations and practices of the organization should receive compliance training.

Communication
The compliance officer should communicate to the board of directors and senior management the applicable regulations and standards as a method of effective compliance to ensure that the organization’s compliance program meets industry standards.

The compliance officer should also communicate freely with all levels of staff on a formal and informal basis to discover compliance problems and implement reasonable solutions to achieve compliance. When possible, the compliance officer should attend department meetings periodically to discuss compliance issues with staff.

At least annually, the compliance officer should advise senior management of their responsibility to make business decisions that comply with appropriate regulations and standards as well as the potential consequences for liability against the organization if not in compliance. At least annually, the compliance officer should remind management of their duty to monitor their subordinates' activities to ensure they comply with the identified regulations and standards.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Brian Evans

Brian Evans

Evans, CISSP, CISM, CISA, CGEIT, Senior Managing Consultant with IBM Security Services, assists healthcare organizations in building regulatory compliant information security programs.