Proving HIPAA HITECH Compliance

Sunday, January 30, 2011

Jack Anderson


Here is the challenge:  You are a covered entity (CE) with 500 business associates (BA).  You have business associate agreements in place but your legal advisors state that this does not meet the standard of "suitable assurance" demanded by HIPAA rules.

Possible solutions would be to; visit each BA, require them to send copies of their policies and procedures, send them a questionnaire, get an attestation from their privacy and security officer, ask for proof of compliance, or hope for the best.

Unfortunately, there is no third party authorized by HHS to attest to their compliance such as The Joint Commission or JCAHO can attest to accreditation.  Even if they could prove to your satisfaction that they were compliant in January, how would you know that they were compliant in February, or March, etc. The Compliance Meter is our solution.

The Compliance Meter allows an organization to demonstrate their ongoing information security and privacy compliance.

The process of arriving at the scores for policies, procedures, and forms reflects our overall philosophy of giving the client templates, having them edit the templates to match their unique organizational internal processes and risks, and then having a human expert (that we call a  Helper) check their edits to ensure that they are accurate and still meet the compliance requirements. 

As clients work their way through the templates and get them approved, their percentage of completion is reflected by the Compliance Meter.  A score of 100 means that all of the policies, procedures, or forms have been edited, reviewed, and approved.
Once organizations have achieved their initial level of compliance, they move into “Care,” or monitoring and maintenance, mode.  Each month client organizations receive a list of tasks that they must accomplish in order to stay in compliance.  As these tasks are completed and checked off, their Care score increases. 

The Compliance Meter reflects their Care score from the previous month.  We maintain a complete history of these tasks, including the date and time of completion as well as the individual who completed the task.

In addition to tasks, client organizations may also need to implement new or revised policies, procedures, or forms to reflect changes in the compliance requirements.  Their scores will go down until the new and updated documents have been reviewed, edited, and approved.
With a Helper providing oversight, those viewing the Compliance Meter can be assured that they are seeing a reflection of the current ongoing level of compliance.

Cross-posted from Compliance Helper

Possibly Related Articles:
HIPAA Compliance HITECH HHS Covered Entity Business Associate
Post Rating I Like this!
Chris Dorr Not a chance. When HHS comes knocking after your sub breaches 200,000 PHI records? And you tell them "Well, no..we didn't go onsite. Nope, we didn't audit. We did ask them to fill out a Compliance Meter. So it isn't our fault they had an unprotected wireless network into their production systems, right?" The answer will NOT make your CFO happy.

HHS (and other federal organizations) have made it clear they view healthcare reform as an opportunity for revenue enhancement. If you do not do some on-site audits, by professional auditors? You WILL be fined, and bigtime.

HITECH pretty clearly requires greatly enhanced oversight of your BAs and subs. This "compliance meter" approach may be fine for smaller vendors, but if you have a vendor who handles PHI over the magical 500 record threshhold? You really need to be thinking about an on-site.
Jack Anderson Please excuse my long delay in commenting but this comment got lost in space.
The Compliance Meter is just the "at a glance" reflection of the current level of compliance of an organization. Through the cloud computing model an interested party with approval from the organization can drill down into specific policie, procedures, and forms, see when they were edited and by whom and when they were approved by the privacy and security expert assigned to the account. They can also view a list of all tasks completed by the organization. These tasks are assigned monthly and are part of what is reflected in the meter. An on-site visit may certainly be warranted in specific situation but having this level of tranaparency with all business associates would certainly be an improvement over the current situation where CEs rely on their business associate agreements to protect them.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.