How a Functional Compliance Program Can Protect PHI

Posted by Ken Reiher

Best practices to establish and maintain security and compliance to protect patient data

ComplyAssistant recently contributed an article on managing functional compliance programs in the January/February 2019 edition of Journal of Health Care Compliance. The following blog post covers some of the key points.

Before the digitization of healthcare records, protected health information (PHI) was mainly stored on paper charts and records and in data centers. The value of personal information was low. Now, however, ePHI is extremely valuable, and attackers will find a way in. As we way in the industry, “it’s not a matter of if. It’s when.” Healthcare organizations fend off tens of thousands of attacks every day.

Protection against such attacks requires diligent, persistent guardianship of every possible path into a network. But protection doesn’t stop at using technology to block attacks; it requires a governance structure and underlying culture to maintain a functional compliance program.

Here are 9 steps to build a functional compliance program to protect your organization and your patients’ PHI.

  • Be ready for change. Creating a culture of compliance takes time and organizational change management. Think about what your organization needs to truly be functional – be it administrative oversight, employee training or proper funding.
  • Document, document, document. Like the old real estate adage “Location, Location, Location,” this is your compliance motto. Document all your evidence of compliance – policies and procedures, assessments, disaster recovery plans, facility security – and make sure it’s updated if you make any organizational changes. We also recommend that you store all your documentation in a single location, like a GRC healthcare software solution.
  • Keep it consistent. HIPAA requires healthcare organizations to conduct regular assessments. We recommend you perform them at least once a year. If you have any organizational changes, such as a merger or acquisition, perform the assessment again.
  • Take action. After assessing risk, form an action plan to mitigate. Focus on high-risk areas first and work your way down the list. And, remember to document everything in case you need to provide evidence of due diligence.
  • Get a handle on third-party vendors. Do you know who all your business associates (BAs) are? What about downstream BAs? Make sure you have an inventory of all your third-party vendors, and that they go through the same risk assessments you perform internally.
  • Scrutinize medical devices. As a subset of BAs, medical devices should be treated with the same rigor as your internal and external assessments. Pay special attention to the age of the medical device technology and if the encryption is up-to-date per your standards. We also recommend putting role-based access controls on all devices in your facility.
  • Consider downstream BAs. For any third-party work, develop a policy and BAA that requires documentation of any downstream BAs, and includes provisions for cybersecurity insurance. We also recommend that you administer a survey for all remote access organizations to ensure they are not working in areas that are vulnerable to unauthorized access.
  • Train your staff. Internal staff is one of the highest risk areas for unauthorized access and use of PHI. Make sure your training is consistent, frequent and enforced. Key to establishing functional compliance is empowering the staff to speak up if they see something amiss.
  • Form a governance committee. Create and maintain a multi-disciplinary executive committee that will build, resource and enforce a functional compliance program. The committee should meet quarterly, review risk status and make decisions on future actions needed (TIP: download our Quarterly Report Card to help with this).

Want more? Read our Fundamental Guide to Compliance Management Software

For a consultation and demo, contact ComplyAssistant.