Tell us about Colington Consulting. What services do you offer? Who should be using them?
Colington Consulting provides a full range of HIPAA compliance services to the healthcare industry and those organizations designated as Business Associates. Our services include conducting HIPAA Risk Assessments, developing HIPAA Risk Management Plans, HIPAA training and hourly consulting. Our services are designed to cover a diversified range of organizations that must comply with HIPAA requirements.
How critical is HIPAA security today? What are the biggest threats to health records?
Based on the Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, data breaches could be costing the healthcare industry $6.2 billion. These findings go towards emphasizing the importance of having the proper security safeguards in place to protect patient health information. One of the biggest threats to health records is the emerging trend of ransomware attacks.
What are the most common mistakes or oversights healthcare organizations makes when it comes to compliance?
I would categorize the problem as not having a clear understanding of security and privacy requirements under HIPAA. Oftentimes organizations think they are covered when in fact potential threats and vulnerabilities exist. Their internal processes to detect risk are just not thorough enough.
How can organizations better protect their records?
This often starts with how the workforce is trained in security awareness. Under HIPAA, security awareness training is an annual requirement. Once the workforce is sufficiently trained, organizations must make HIPAA compliance a priority. It is an ongoing process and should never be considered a “one and done” deal.
What are the most important or pressing issues surrounding compliance that healthcare organizations should be aware of?
There are three areas I always look at when evaluating a compliance program. Those are the HIPAA Risk Management Plan (policies and procedures), when the last HIPAA Risk Assessment was conducted, and how the organization documents HIPAA training provided to their workforce.
The other area is making sure vendors or contractors who access, store, transmit, or create any of an organization’s protected health information are designated as Business Associates and the necessary Business Associate Agreements are in place.
How important are HIPAA risk management plans to an organization?
A HIPAA Risk Management Plan is the foundation for compliance within any organization. A comprehensive plan must address all the standards and implementation specifications found in the Code of Federal Regulation. Each of the specifications must be addressed with policy and procedure. Policies and their accompanying procedures can vary between organizations because they will reflect the values, approaches and commitments of that particular organization.
Where should organizations start when creating a plan?
I always recommend looking at the standards and the implementation specifications as a way to determine what must be addressed in a plan. This is certainly an area organizations may want to consider outsourcing to compliance experts familiar with everything that must be contained within a plan.
How often should organizations review and revise their risk management plans?
An organization should a have series of questions to use to make a determination when to review and revise their plans. As an example, ask such things as, “Is the policy still relevant and accurate?” Have any laws or regulations changed since the policy was created?” And, “Does this policy still correctly convey the vision and goals of the compliance program?”
When should a healthcare organization enlist the help of a firm like yours to help manage compliance?
Like any aspect of healthcare compliance, it can be complex and complicated at times. Oftentimes organizations just do not have the time or the resources dedicated to implementation of a comprehensive HIPAA compliance program. This is where companies like mine, who are experts in HIPAA compliance, can assist an organization in a short amount of time to help get a program in place and meet all the necessary requirements under the HIPAA Security and Privacy Rules. An outside consultant brings an objective analysis that can clearly help an organization with an impartial perspective of where they stand on the compliance spectrum.
What are the risks of not seeking outside help?
It goes back to a time management and resource issue along with not having a comprehensive understanding of what are reasonable and appropriate safeguards for the organization. Having an independent third party come into an organization and provide critical analysis can certainly be a little unsettling. HIPAA compliance is an exercise in risk mitigation. My goal is to help clients see the potential risks and remediate them. That is a clear value proposition on why brining in an outside consultant can be so beneficial.
What HIPAA-related headlines are you currently following? Why should providers care about these issues?
An area I always focus on in the headlines is when the HHS Office for Civil Rights announces settlements in HIPAA violation cases. I read the press releases and eventually review the resolution agreements that typically contain parts of the imposed corrective action plans. It shows you how organizations failed to meet certain compliance requirements and view this as a way to learn from other’s mistakes.
I am also focused on the recent cases of ransomware attacks on healthcare providers. There is a lot that can be learned from these cases when it comes to protecting health information and if organizations had the proper and required data backups in place.
Not so much a headline, but when I speak to healthcare organizations I always ask if anyone ever looked the HHS Breach Notification Portal. It is truly fascinating to see how many HIPAA data breaches are being reported. As many experts in the field say about HIPAA data breaches, it is not if but when.
Last Updated on