By Jack Anderson
July 2, 2015
I talk to lots of people who ask variations of the question Am I HIPAA compliant? If they are IT people they will refer to ISO 27001 or PCI DSS which are compliance standards but not HIPAA standards. If they are covered entities who have been required to be HIPAA compliant for decades they might think in terms of a “compliance manual”. If they are a business associate looking at HIPAA compliance for the first time the whole concept of HIPAA is daunting.
The first litmus test is having a recent HIPAA Risk Assessment and Gap Analysis. A simple HIPAA checklist is not sufficient. Most checklists are 10 questions while the NIST protocol, which is the industry standard, contains 101 questions. Once you have done the risk assessment the next task is developing written policies and procedures that meet the standards and are the business rules by which you run your company. Finally, you must train your staff on these rules because if you are ever audited the auditor will check to see if you have written policies and procedures and then will observe staff to see if they are following them. Having a written policy or procedure and not following it qualfies as “willful neglect” and cause HHS to fine you as much as $1.5 million per occurence.
We invented the Compliance Meter® to give people a way to know at a glance whether they were HIPAA compliant, at that moment. This was necessary because HHS defined HIPAA as a process not an event and refused to develop or authorize a certification process. A process is dynamic with ups and downs, advances and retreats. HHS is looking for progress, not perfection.
There is no such thing as a bad risk assessment as long as it is followed by a plan to improve, assignment of tasks for improvement and documentation of your compliance improvement activities.
The three legged stool is your safe harbor and it is easy to achieve with tools designed to assure HIPAA compliance.
Assure compliance with HIPAAssure®