By Jack Anderson
September 4, 2014
People continually ask why they can’t just get HIPAA compliant and then stop. The answer is that things change. Your business changes and hopefully grows, you get new software, perhaps a new line of business or just new staff. All of these changes would require specific HIPAA compliance changes for your organization. The other big thing that changes is HIPAA. By that I mean that the regulations change or there are deadlines that were set in the past that come due.
September 22, 2014 is one of those deadlines that is easy to forget. You are busy running your business and suddenly without you noticing it you have missed a deadline and are out of HIPAA compliance. Way back in January of 2013 HHS announced that if you had business associate agreements (BAA) in place before January 25, 2013 you would get a grace period to update those BAA to reflect the changes brought about by the HIPAA Omnibus Rule. The final deadline is now looming and many healthcare organizations and their business associates are going to be caught off guard.
This is just one example of the type of things that a covered entity or business associate must be aware of on an on-going basis. There are many recurring deadlines for HIPAA compliance such as HIPAA risk assessments and training.
Here is an example of a monthly task list for a large Compliance Helper client:
Care Checklist — Tasks Due This Month (September)
Information Security and Privacy Program Management (6 Due ; 1 Overdue )
Executive Management Updates (Quarterly)
Personal Information Inventory Maintenance (Monthly)
Data Protection Compliance, Laws, Regulations and Standards Requirements Monitoring (Quarterly)
Access, Authorization, Process, and Technical Controls Review and Maintenance (Quarterly)
Access, Authorization, Process, and Technical Controls Review and Maintenance (Annually)
Passwords (Monthly) (Was due August 2014)
Passwords (Monthly)
Training and Awareness (1 Due ; 1 Overdue )
Awareness Content and Activities Update (Was due August 2014)
Awareness Content and Activities Update
Information Technology (1 Due )
Ongoing IT Information Security and Privacy Training and Awareness
Audit (1 Due )
Ongoing Auditor Information Security and Privacy Training and Awareness
Legal (1 Due )
Assigned Legal Department Security & Privacy Responsibility Maintenance
Facilities Management and Security (1 Due )
Assigned Facilities Management and Security Information Security and Privacy Responsibility Maintenance
This is for a large organization with a complex business model and we have smaller tasks lists for smaller organizations but the point is if you are not remembering to do these kinds of tasks and critically, documenting them you will very quickly go out of HIPAA compliance without even noticing.
Our programs and our Helpers are working to help you know what you need to do, when you need to do it, and documenting your compliance. With our SaaS model this is done efficiently and cost effectively.
Take a look at www.compliancehelper.com for more answers.