The best way to begin, according to Ben Burton, JD, MBA, RHIA, CHP, CHC, CRC, a consultant for First Class Solutions, Inc., in St. Louis, is with an assessment of your organization’s entire body of policies and procedures, keeping in mind your organization’s resources. Are your policies practical? Are they realistic? Should they be updated or modified to reflect changes in technology, business models, or laws? And, most importantly, are they being followed?
"One of the things I think that most organizations, even pre-HITECH or post-HITECH, is they view that a policy is enough to check the boxes enough for them, but they have to have a policy and then they have to follow up on it," Burton says. "The auditors that are going to come in, or they’re going to step up their HIPAA audits again, are going to look and say, ‘Great, you have a policy—now what are you doing?’ "
A policy is only worth something if it’s being followed. That means the privacy and security officer also has to be an educator. Providing the minimum amount of training isn’t enough, Burton says. Many of the recent major breaches have been caused by phishing and social engineering emails, in which employees have essentially, although unknowingly, handed over access to PHI to hackers. "If you have the best security in the world, but you let a hacker in your front door, there’s nothing you can do about it," Burton says.
This article was originally published in Briefings on HIPAA. Subscribers can access the full article in the January 2016 issue.