Follow this expert advice to ensure your compliance - before it's too late. The security rule compliance countdown has hit full speed. You have fewer than six weeks to pass your toughest HIPAA compliance test yet, but advice from top security experts can help get your security program in tip-top shape. 1. Appoint a security officer. To set your HIPAA security plan in motion quickly, you must pick a dynamic leader to be in charge and get things done, advises attorney Robert Markette with Gilliland & Caudill in Indianapolis.
Home care providers often choose a "computer person" to be the security officer because the security rule addresses electronic data, notes Gene Tischer with the trade association Associated Home Health Industries of Florida. But restricting your security officer choice to an IT person isn't necessary, Markette maintains.
The security officer must make numerous non-technical decisions, Markette says - for example, the procedure to follow when terminating employees or physical security for your building. With time running so short, your security officer will have to delegate many tasks to other employees anyway, and she can delegate technical items to the IT person. 2. Learn the rule. The security officer should take a good look at the HIPAA security rule and learn the requirements. The final rule is at
www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf. 3. Create your compliance team. You should bring in employees from across the organization to serve on the team, explains Beth Rubin, an attorney with Dechert in Philadelphia.. Your security officer should head up the team, advises Greg Young, security officer for Mammoth Hospital in Mammoth Lake, CA.
"The first 30 minutes of your team's initial meeting should be dedicated to educating members on the rule," Rubin stresses. Send team members an information packet or security rule 'cheat sheet' ahead of time, she proposes. A CMS overview of the rule is at
www.cms.hhs.gov/hipaa/hipaa2/education/Security%20101_Cleared.pdf. 4. Develop a task-specific action plan. The result of your first team meeting must be a decisive action plan that outlines how your organization will tackle its security rule compliance, Rubin says. "That includes a strict timetable for when each task will be completed," she adds.
Rubin recommends your action plan answer the following questions: who will conduct the risk assessment; when will the risk assessment be completed; who will be in charge of risk management; who will review business associate agreements; when will all agreements be finalized; who will draft and review policies and procedures (P&Ps); and when will training begin? 5. Assess and manage your organization's risks. Completing your risk assessment will be the bulk of your HIPAA security work, Markette advises.
But the risk assessment doesn't have to be a huge ordeal, says security consultant Chuck Connell of
