By Jack Anderson
March 9, 2015
The Cycle of HIPAA Compliance
The key elements of the Cycle of Compliance are a risk assessment, risk remediation, and training. Let’s examine each and then talk about how they are linked.
I have talked about a HIPAA risk assessment done to the NIST standards in the past but to refresh our memories the NIST standard is the only standard recognized by the federal government. In addition the Security Content Analysis Protocol (SCAP) scanner developed by the federal government is an integral part of the assessment. The Risk Assessment Report and the Gap Analysis are the documentation of the results.
Remediation is addressing the gaps, which typically include failing to have written policies and procedures meeting the current standards and tailored to your organization. If you are new to HIPAA it is usually worthwhile to address the policies and procedures before running the initial risk assessment as they will greatly enhance your score on the risk assessment. The process we use is to provide templates of policies and procedures that meet the current standards and guiding you through an on-line process of editing them to fit your organization, under the supervision of a HIPAA expert.
Training of your staff is another key part of the Cycle of HIPAA Compliance. The most cost effective and efficient method is to have your staff watch HIPAA videos on-line and then take a quiz to demonstrate their knowledge.
Documentation of completion of all of the areas of the cycle is critical. Documentation is what will help build a “legal firewall” around your company.
A monthly task list is what drives the cycle and links the activities. Each month you get a list of the compliance tasks you must accomplish to stay compliant. As these tasks are accomplished they are documented by the system and become part of your HIPAA compliance history.
For more information about the Cycle of HIPAA Compliance contact me at jack@compliancehelper.com