By Jack Anderson
May 2, 2014
HIPAA compliance is a new chore for most business associates and it can look formidable, but with a little planning, some good tools, and sound advice you can get it done in thirty days, only working on it an hour per day. First step is appointing your privacy and security officer. Having an overall plan and a process is critical and the privacy and security officer is responsible for setting it up. Once the steps have been established you need to have reminders when tasks are due, a way to document accomplishing the tasks and a way to see your progress. Once you get through the initial steps of developing policies, procedures, and forms that are customized to your business model and meet the standards estabilished in the HIPAA Omnibus Rule, you need an on-going risk management program.
Let’s talk about tools. The range of tools is wide, with everything from a printed policy and procedures manual, DVDs that let you put in your company name and print the manual, interactive SaaS or cloud based tools, and of course an on-site consultant. The first things that is apparent is the wide range of costs involved. You can probably find a canned set of policies and procedures for a few hundred dollars, a DVD for $500 or so, SaaS models range from $99 to $995 and consultants starting at $1500 per day for on-site help. The most important consideration after price is effectiveness. A static set of policies and procedures will quickly become out of date and remember HIPAA compliance is a process, not an event, so make sure you get a tool that is interactive and supports documentation.
Advice also comes in a wide range of prices and quality. At the low end you get some instructions with your manual, or perhaps FAQs or a Help Desk. At the high end you get a consultant visiting your organization and available for telephone consultation at all times. In the middle is the SaaS model that gives you access to the same consultant but through the software tools at a much lower cost.
HIPAA risk assessment is a requirement but here also there is a wide range of solutions depending on the size and complexity of your organization. Very small organizations with a simple business model can do a self-assessment as long as they follow the principles of a HIPAA risk assessment. The most accepted model is the NIST model which will tell you what questions to ask, how to evaluate risk, and how to write a gap analysis.
Metrics are important. You need to know where you stand and you need to be able demonstrate your compliance to your business partners.
For a demonstration of how a SaaS model works go to www.complianchelper.com and click on the appropriate tab under See How It Works, or if you want to evaluate your current level of compliance click on the Download Checklist tab.