Missing the HIPAA Target – Part 2

In my previous blog, I stressed compliance is not about being an expert on HIPAA regulations, but being risk management proficient ― the ability to identify vulnerabilities and threats facing your organization, and to take steps to eliminate, minimize or manage them.  I usually refer to the next step as "ownership", but I’m not really a fan of the term.  A common synonym is "possession".  You can own something, but it doesn’t mean you are committed to taking care of it or ensuring a positive outcome.  The term seems weak.  Recently, a good friend and savvy business partner used the term "accountability" in a joint presentation we gave on compliance.  It was during the Q&A at the end of the presentation, and I immediately knew this was the word I had been searching for.

Accountability means you are not only responsible, but your efforts can be verified.  Verification is essential in compliance of any kind.  In healthcare, we’ve all heard the phrase, “If it isn’t documented, it didn’t happen.”  Proper documentation reduces liabilities and protects you and your organization.  This includes making tough decisions that ensure the ability to verify results with the highest level of confidence.  Take for instance performing the required HIPAA Security Risk Assessment.  You could have it done internally by forming a group from the effected departments.  Another option might be that your managed service provider (MSP) could perform the risk assessment.  Lastly, there are independent organizations that provide risk assessments and compliance support as their core business.  Which approach would provide the most accurate, unbiased and verifiable results?

Accountability is essential to keep a process running efficiently.  Take responsibility to ensure your contribution to the process is done in the right order, per the quality required, and on time.  Failure to do so creates vulnerabilities and threats to your organization, and your patients and customers.  Accountability also enables adoption of proven compliance practices into daily routines such that they become standard operating procedures.  It is the foundation for building a culture of compliance.  Thus, we all need to recognize accountability is essential in our role in the organization and that we deliver verifiable results.

If you'd like more information on HIPAA compliance, risk assessments, or reducing the liabilities for your practice, contact us at: compliance@thirdrock.com.

Ed Jones, PMP, CHSP
About the Author

Over 30 years of customer facing experience managing projects in healthcare, IT, process automation in a variety of tech industries, Ed has worked for start-ups to Fortune 100 companies. He has performed numerous complex and extensive risk assessments, and developed and managed the corresponding risk management strategies.

%d bloggers like this: