By Jack Anderson
March 10, 2016
HHS has stated that they don’t expect perfection as the standard for HIPAA compliance. Instead they want to see that the organization has a plan, that they are executing on that plan and that they are documenting the results. As HHS says HIPAA compliance is a process, not an event.
The initial baseline measurement should be a comprehensive risk assessment which will include a Gap Report. This is a prioritized list of your deficiencies which for most organizations will include updating policies, and documenting security awareness training for staff. For larger organizations a scan of their workstations using a SCAP scanner might be necessary.
In our Jumpstart program you get an initial list of tasks in our Prepare program that include an initial risk assessment, updating policies, and scheduling staff for security awareness training. Once this is done a followup risk assessment will show the progress and put the organization into intial HIPAA compliance.
The next stage is called Care and this is what keeps the organization HIPAA compliant. Each month you get a new task list of things that need to be done to continue to show progress. A quarterly task is to do another updated risk assessment to demonstrate the progress you have made during that quarter. In addition the Care program is keeping a history of your compliance activities and displaying your compliance levels through the Compliance Meter(r). The History tab shows when a task was due, a description of the task, when it was accomplished, and the person that accomplished the task.
Additionally when policies are edited and updated by you they are automatically reviewed by the Helper assigned to the organization. The Helper is a HIPAA expert that is also available to answer any questions you might have. Together these features give you a simple path, with help and advise,to stay in a “safe harbor”.
To date no client of either Compliance Helper or ACR2 Solutions who was following our programs has ever failed an audit.