If you haven’t taken at least the following seven steps toward compliance with the HIPAA security rule, you’ll be hard pressed to convince someone that you’re in compliance, according to Tom Walsh, president of Tom Walsh Consulting, LLC, in Overland Park, Kansas.
Security compliance official. Organizations must assign someone with responsibility for overseeing information security. Walsh suggested appointment of a privacy and security officer that reports to someone high up in the organization.
Standards of conduct. Next, Walsh said, the organization should set standards of expected conduct and memorialize them in written policies and procedures, guidelines, or standards so people know what the expected behavior is. Health information management (HIM) professionals can help write policies and procedures. "That’s one area where I think [they] could really contribute," he said. Angel Dinh, a manager of professional practice resource at AHIMA, recommended that all staff contribute to security.
Training and education. Training needs to include all staff, Dinh noted. Walsh pointed out that many managers with whom he has spoken believed they were exempt from training requirements. Walsh suggested establishing a formal information security training program that documents audiences, content, and delivery methods (e.g., syllabus, attendance sheets, handouts, etc.). The program should include detailed security training for specific audiences and periodic security awareness for everyone, he said.
Incident reporting. Organizations should have a process for reporting and tracking incidents and emphasize that incident reporting is there to correct current incidents and avoid future ones, not to punish employees.
Incident response procedures. Entities should create an incident response team and develop a plan for responding to incident reports. Walsh emphasized the importance of making those decisions before a crisis has occurred and noted his observation that most health care organizations lack incident response procedures. Incident response team members and other IT staff should be trained on collecting and handling evidence during an investigation, and the organization should establish remediation or action plans to prevent similar incidents in the future, he advised.
Auditing and monitoring. The next step, according to Walsh, is to conduct ongoing auditing and monitoring for compliance. Security officers should determine user activities and events that trigger an audit log entry, implement procedures to periodically review compliance, establish an audit log retention schedule, and establish an evaluation and validation process.
Corrective actions. When taking corrective actions (e.g., sanctions, risk management, security controls, etc.), officers and management should make sure that sanctions are applied consistently. Walsh also recommended reducing risk to an acceptable level, which could require beefing up administrative, physical, and technical security safeguards and controls.
CCH Washington Bureau, Jan. 23, 2008.
Visit our News Library to read more news stories.
