From the Ground Up: The Most Useful Tool For Building a HIPAA Compliance Program

When a new Chief Compliance Officer (CCO) joins an organization, getting a handle on the current processes, policies, and procedures can be quite an undertaking. If there’s been a significant gap in compliance leadership, this new leader is likely building the hospital’s compliance program from the ground up.

While most hospitals and health systems’ compliance programs have been long established, it’s not uncommon for organizational changes, turnover in leadership, or even a pandemic to create a distraction and cause the program to lose traction. In smaller organizations, it’s still common to lack a C-level compliance leader, leaving others to absorb the responsibilities or simply have them go unfilled altogether.

Hospitals and health systems frequently ask Clearwater to step in as an interim CCO and help build and manage the compliance program while the organization searches for the right leader to join its executive team. Drawing on our team’s recent Interim CCO work, here are lessons learned, strategies for long-term success with the HIPAA compliance aspects of your program, and the #1 tool we find most helpful in building and maturing strong HIPAA Compliance programs.

Identify compliance champions early. 

Culture and infrastructure play a key role in the success of any HIPAA compliance program, so identifying some champions to embed a culture of compliance will help you gain traction earlier.

Start by meeting with each member of the executive leadership team and other key stakeholders; they can quickly get you a high-level understanding of their departments, department goals, and applicable compliance program systems.

Use these meetings as an opportunity to listen and absorb as much as possible; the safer it is for leaders to share candid insight and concerns from a compliance perspective, the faster you’ll gain a true understanding of what you’re working with, the objectives to be completed, and the priority of each.

Leverage your compliance champions as bi-directional information channels, include them in your committees and communicate changes, updates, and progress with them regularly. These folks can help bring you into the loop on HIPAA compliance challenges or gaps throughout the organization while also helping embed new policies, processes, and requirements in their teams, colleagues, and departments.

Your greatest enemy is bandwidth.

Healthcare is feeling a staffing shortage across the board, from nurses and clinical support staff to project leaders, cybersecurity professionals, and leadership. So it isn’t surprising that while looking for a new CCO, there had been turnover elsewhere, too.

As you seek resources and schedule time to collaborate with stakeholders, know that you’ll be just one of many looking for their time and input.

Further, once you start pulling on the existing compliance program threads, you’re likely to uncover many areas that have gone unattended. It won’t take long for your list of priorities to grow, and with it, your attention scattered. Resist the urge to chase it all down but rather stay focused on the main objectives identified early on. Once you establish the program or implement the missing foundational components, you can circle back on the other issues that surfaced during your research and investigation.

After weeks of meeting with leaders and stakeholders and uncovering a long list of deliverables for the program, here’s what made the shortlist for the 16 weeks we served as interim CCO for one hospital recently:

• Training and education
• Hotline implementation
• Sanction screening
• Establishing a compliance committee
• Conducting a 10-point HIPAA compliance assessment
• Addressing critical areas, such as the risk management process and the appointment of a HIPAA Security Officer

The 10-Point HIPAA compliance assessment is the best place to start.

It’s hard to build a plan for a new program or traction in an existing compliance program without a solid understanding of the current state. But even gaining a firm grasp on the organization’s current reality can be daunting without a framework to work with. The 10-point HIPAA compliance assessment gives leaders a step-by-step guide to assess the current state of an organization’s programs since many elements align. It serves to identify and prioritize the gaps and begin building a plan to address them.

In our work as interim CCO, we find that the 10-point HIPAA compliance assessment is the most valuable starting point for building and maturing compliance programs, including HIPAA. Oftentimes, when one program is deficient, so are other programs. Here’s an overview of the 10 points and some helpful information at each stage of the assessment.

10-Point HIPAA Compliance and Cyber Risk Management Program

1. Have a compliance, privacy, security risk management, and governance program in place (often considered the eighth element) (45 CFR §164.308(a)(1))

Consider:

• Do you have a designated HIPAA Security and/or Compliance Officer?
• Is there a governance structure in place?
• Is there a board to whom your security officer reports?
• Do you have a leadership structure to whom the officer reports?
• Are you setting regular meetings for program governance?
• Are you tracking the minutes of those meetings?

It is common that the Compliance, Privacy, and Security Officers serve on the Compliance or Governance Committee, work collaboratively, and participate and report program status to the Board or a Committee of the Board.

2. Develop and implement written compliance and HIPAA privacy, security, and breach notification policies and procedures (45CFR §164.530 and 45CFR §164.316)

Be sure these policies and procedures are in place, are routinely reviewed and updated, and establish a document repository, as they will serve as evidence if you face Office for Civil Rights (OCR) scrutiny or investigation (e.g., OIG, Medicare). This sets expectations for the workforce and reflects the culture of the organization.

3. Train all members of your workforce (45CFR 164.530(b) and 45CFR §164.308(a) (5))

Be sure to include training around compliance and HIPAA requirements, as well as security and privacy awareness. Training includes but is not limited to the elements of the programs, code of conduct, accountability, and reporting. Conduct this training consistently and frequently. Include documentation of training and updates.

Reporting and investigating compliance and HIPAA incidents is key to stopping bad behavior both internally and from an external source.  Make sure the workforce has mechanisms that are easy to access for reporting, such as an open door policy and/or hot/helpline. The workforce should also understand the consequences of non-compliance with the organization’s policies, procedures, and applicable laws.  Ensure that disciplinary actions are fair, equitable, and consistent.

Each of the four areas below makes up the monitoring and auditing necessary to identify priorities and risks and should also consider documentation, coding, and billing, and incorporate the OIG work plan and fraud alerts, and can be conducted both internally and externally by a third party.

4. Complete a HIPAA security risk analysis (45 CFR (§164.308(a)(1)(ii)(A))

From an OCR perspective, if you face an investigation or inquiry, a security risk analysis may be the first thing OCR will ask to see. Unfortunately, nearly 90% of organizations facing monetary settlements or penalties for HIPAA violations related to electronic protected health information have not conducted a risk analysis correctly or have not done one at all.

5. Complete HIPAA security risk management (45 CFR §164.308(a)(1)(ii)(B))

Once you complete your risk analysis, you’ll need to have a risk management plan to deal with the risks you’ve identified that require treatment or mitigation. You should also document if you’ve decided to accept, mitigate, or reject those risks and document any additional safeguards you’re planning to implement that will support OCR findings regarding gaps and risks.

6. Complete a HIPAA security evaluation (e.g. compliance assessment)
   (45 CFR §164.308(a)(8))

This is often considered a non-technical evaluation under the HIPAA Security Rule. Think of it as a gap assessment and demonstrate your organization is being reasonably diligent in ensuring you’re complying with the Security Rule.

7. Complete technical testing of your environment (45 CFR §164.308(a)(8))

The HIPAA Security Rule also requires technical testing, including vulnerability scanning and internal and external penetration testing, web application testing, etc. In light of the increased ransomware and phishing attacks healthcare organizations face, this is also a good time to add related assessments to your testing processes to see where you may have gaps or issues that could put you at greater risk of a successful attack.

8. Implement a strong, proactive Business Associate management program
   (45CFR §164.502(e) and 45 CFR §164.308(b))

Be sure you have business associate agreements in place. Healthcare organizations, now more than ever, need to ensure they have processes in place-and documented-to address and mitigate risks associated with business associates and other third-party relationships.

9. Complete Privacy Rule and Breach Rule compliance assessments
   (45CFR §164.530 and 45CFR §164.400)

As a best practice, complete a compliance assessment to uncover any gaps in your Privacy and Breach Rule compliance measures.

10. Document and act upon a remediation plan (45CFR §164.530(c) and 45CFR §164.306 (a))

Documentation is key for maturing your program and attesting to your program’s effectiveness. But remember, it’s more than documenting what you’re doing correctly. Responding promptly to detected incidents or offenses and undertaking corrective actions will help to identify your gaps and weaknesses and document all the steps to mitigate or remediate those issues.

Summary

In serving as an interim CCO, our focus is often establishing ground floor components of an organization’s compliance program so that when the permanent Chief Compliance Officer is brought on board, she or he can focus on maturing the program and evolving it as the organization grows and requirements evolve. Many of the processes described above cross over compliance, privacy, and security, and these matters are addressed through collaboration between the respective officers. By leveraging where there are similar regulatory requirements, the organization can eliminate redundancy and streamline its process for better compliance by the workforce.

A mature HIPAA compliance program should include the following components at a minimum to identify the risks to the organization and complement the ethics and compliance program:

• An OCR-quality risk analysis and risk response
• HIPAA Privacy & Breach Notification Assessment
• HIPAA Security Compliance Assessment
• Vendor risk management
• Technical testing

Building and maturing a compliance program in today’s healthcare environment can be expensive and overwhelming. If you need help establishing the critical components of your program or could benefit from the program leadership and management of a managed services program, Clearwater can help. Getting started is easy; schedule a call with one of our experts today.