OCR is losing patience quickly. Not having a risk analysis in place, not encrypting laptops, failing to have a culture of compliance…there was a day when a corrective action plan would be enough to satisfy OCR in these areas, but those days are behind us.
Nashville, Tenn. (PRWEB) May 02, 2014
Industry leaders discussed how to respond to the growing complexity of preparing for privacy and security enforcement actions in the wake of a new crop of federal and state enforcers, during the most recent monthly HIPAA-HITECH Blue Ribbon Panel™, hosted by Clearwater Compliance.
A wide range of entities, including the Federal Trade Commission and the Securities and Exchange Commission, have joined the Office for Civil Rights to police the safeguarding of protected health information (PHI). According to the panel, it’s a scary new world for healthcare organizations.
“It’s concerning,” said Blue Ribbon Panelist Gregory J. Ehardt, HIPAA/Assistant Compliance Officer for Idaho State University. “HIPAA is a journey, not a destination, and when you add in all these enforcement layers, lots of organizations are fearful, and rightfully so.”
Even as these new enforcers add pressure for better privacy and security practices, the OCR has never been more aggressive in levying significant financial penalties on organizations not meeting baseline expectations for PHI protection.
“OCR is losing patience quickly with organizations who aren’t prepared,” said Adam Greene, Partner with Davis Wright Tremaine LLP. “Not having a risk analysis in place, not encrypting laptops, failing to have a culture of compliance…there was a day when a corrective action plan would be enough to satisfy OCR in these areas, but those days are behind us.”
The Blue Ribbon Panel offered attendees helpful tips to prepare a healthcare organization to meet the scrutiny of a federal or state investigation. Among the best practices cited were:
- First, complete a thorough risk analysis. This sets the framework for the entire compliance program.
- Immediately following the completion of a risk analysis, use the findings to formulate a risk management plan. OCR wants evidence healthcare organizations are identifying and proactively managing security and privacy risks.
- Create a culture of compliance. Build broad awareness and underscore the importance of information privacy and security.
- Ensure you have an effective workforce strategy. Institute thorough background checks and implement rigorous controls around workforce access to PHI and termination of access. Train your staff on policies and procedures and be consistent with sanctions for employee misconduct.
- Take a balanced approach. Ensure equal time and emphasis is dedicated to policies, procedures, people and safeguards as you work through the compliance journey.
“Regulators are seriously trying to motivate organizations to do the right thing,” said Rick Kam, President of ID Experts. “These agencies are focused on a handful of best practices and are calling out organizations who don't comply so that others will take notice and take action.”
Those best practices are largely centered on risk analysis and risk management, although panelists cautioned attendees about having tunnel vision.
“Keep in mind that although these areas are definite priorities, you still can have investigations that address other issues,” said Greene.
If an organization is unfortunate enough to be involved in an investigation, the Blue Ribbon Panel experts suggest the staff should be responsive and learn all they can.
“Be prepared to answer the tough questions and offer an accurate assessment of your current situation,” said Kam. “You want to be open and transparent. You also want to make sure the investigator has a contact within your organization who is informed and can ensure timely responses.”
“When you’re going through it, it’s painful but it really sharpens the saw,” said Ehardt. “It forces you to dedicate resources, time and energy to areas you should have already. It can be a very positive learning experience.”
In the end, the panel consistently expressed the virtues of being prepared.
“Regulators aren’t going after companies who are trying to do things the right way,” said Greene. “They are looking for companies who are not taking adequate measures.”
Ehardt agreed. “They are not out to shut doors or close businesses,” he said. “But they are out to make statements.”
Interested organizations can access a full recording of this web by clicking here.
Next up for the Blue Ribbon Panel is a discussion on Risk Analysis DOs and DON’Ts. The web event is scheduled for Thursday, May 29, 2014 3:30 pm – 5:00 pm CDT. Register here.
About the HIPAA-HITECH Blue Ribbon Panel
Clearwater Compliance convenes the HIPAA-HITECH Blue Ribbon Panel monthly for 90-minute interactive sessions via an ongoing series of live web events. Each session features 5-6 national experts who share insight and exchange ideas while fielding questions from attendees.
About Clearwater Compliance: http://www.clearwatercompliance.com
Clearwater Compliance, LLC, focuses on helping healthcare organizations and their service providers become and remain HIPAA-HITECH Compliant. Owned and operated by veteran, C-suite health care executives, Clearwater Compliance provides comprehensive, by-the-regs HIPAA software and tools, risk management solutions, training, and professional services for small medical practices and healthcare startups to major healthcare systems, health plans and Fortune 100 companies. Since 2003, the company has served more than 350 organizations. Find out more about our HIPAA compliance software, solutions and consulting services at clearwatercompliance.com or connect via Twitter: @ClearwaterHIPAA.