Adhering to compliance policies such as HIPAA is essential for a new age medical company or healthcare provider. According to Tom Walsh, it is not wise for medical companies to procrastinate about thoroughly documenting their HIPAA compliance practices, as the restart of the federal audits is about to commence very soon.
Following an established documentation procedure is crucial. No documentation that the medical companies create will count after the date that Department of Health and Human Services’ Office for Civil rights issues the audit notice. In his interview to the Information Security Media Group on the latest Healthcare Information and Management Systems Society safety and privacy forum in Boston, Tom Walsh asserted that policies must reflect precisely what is being done in your environment. A brief policy that in reality highlights your initiatives is better rather than downloading something online that appears impressive with requirements but not in practice. The vital aspect here is to ensure its precision in an audit through a three-step technique.
"The 3 P’s" – Practice, Policy and Perception
Walsh names this three-step technique as "The 3 P’s" – Practice, Policy and Perception. The perception is what the regulators perceive by interviewing multiple levels of management about different policies, such as the password policy. Post this; the regulators will review the enterprise’s actual documented policies to analyze if they match the requirements. After this, to ascertain that the policy is indeed practiced the audit will examine the system administrator. To pass through all these audit criteria, all the 3-P’s must be met.
Linda Sanches, Senior Advisor, OCR asserts that OCR had planned to start the HIPAA audits, but could not until the agency finishes the technology rollout to facilitate documentation collection from the audited entities through a web portal. Furthermore, OCR also plans to update the HIPAA audit protocol released in 2012. According to Walsh, companies need to download the original protocol that has the requirements for compliance with the HIPAA security, privacy and breach notification rules.
eGestalt presently offers compliance services for security and compliance assessment under HIPAA to address the needs of healthcare providers (covered entities) for and Business Associates of covered entities. Various Aegify editions address the needs of small, medium, and large enterprises. Aegify SecureGRC provides built-in templates for policy management documentation based on detailed practice analysis. Based on your practice specific requirements, if needed, it is relatively easy and fast to customize these policies to meet your requirements.
Contact firstname.lastname@example.org for more information.