Seven Steps to Satisfy HIPAA Security

If you neglected to consider the looming security deadline when you made your
New Year's resolutions, it's not too late. This is the year you can whip your facility
into tip-top security compliance.

1. Review your compliance progress. By now, you should have a program

in place to move your organization toward HIPAA-security compliance. That
doesn't mean you must be 100% ready now. You still have time, but the clock is
ticking.

2. Reassess your training program. Does the HIPAA training program you
use work? Ask staff whether they feel comfortable with the general training they
receive and what other information they want. Provide specialized training for
employees who work in specific areas (i.e., network engineers, medical records
department employees, etc.)

3. Review and modify your original risk assessment and develop your
audit program. Your initial analysis should have helped determine the flow of
ePHI in your organization and enabled you to create and enforce security policies
and procedures to fill security gaps.

To make sure you targeted the correct areas, review all critical systems that
process ePHI or other sensitive information and document the purpose of these
systems and the flow of information.
 Identify potential vulnerabilities to evaluate the likelihood and effects of the
risks you determined in your analysis.
 Audit areas of weakness.
 Determine whether the areas you initially selected are still the most
vulnerable and whether the safeguards you developed have worked thus
far.

4. Update policies, processes, and procedures. Base these on your risk-

assessment findings. Prepare to address security breaches and violations.
Review and revise (if necessary) your disaster recovery plan and business
continuation plan.

5. Review the security rule. Just as staff sometimes needs a training

refresher, you may need one yourself. Make sure you are addressing the
required standards and the addressable implementation standards, as
applicable. As a reminder, the security rule breaks mandatory standards into
administrative, physical, and technical safeguards.

6. Hype the importance of documenting all security-related activities. If

an addressable rule specification is not reasonable and appropriate for your
organization, document why. You must then adopt an equivalent measure and
document how that meets the standard or document why you took no action and
how you meet that standard in other ways. Develop your archive process to
handle this additional documentation.

7. Reinforce the necessity for compliance. Inform staff that you will act
against those who fail to comply with your policies and procedures. Follow
through with your warnings. Consider a no-tolerance policy. If necessary, in
extreme circumstances, terminate on the spot for security breaches.