Use triggered reviews in your HIPAA privacy and security rule compliance assurance program
HIM Connection, January 30, 2007
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
At the core of your privacy and security compliance assurance program is the process by which you measure and analyze practices and events in order to take corrective actions. The process, referred to as auditing, comprises many methods and tools, depending on what you measure and analyze.
Triggered reviews
Triggered reviews are one data collection method you can use in a HIPAA privacy and security rule compliance assurance program. Triggered reviews are based on threshold levels of incident occurrences. You perform further investigation once an incident reaches that threshold. You can set the threshold for a single event or multiple occurrences, usually within an established time period.
Some organizations distinguish among actions, events, and incidents to help describe differences among processes performed without an associated compliance value (i.e actions), aberrations that are or could lead to noncompliance (i.e. events), and those that are sentinel in nature (i.e. incidents) that are truly noncompliant occurrences.
Triggered reviews respond to and manage events or incidents that you indicate. They differ from ongoing monitoring primarily in that there is an event or incident that is a noncompliance matter. Ongoing monitoring tracks actions that do or do not occur to pinpoint which may become events or incidents.
Sources of incidents
Sources of incidents include privacy complaints and security incidents. Event occurrences that may lead to incidents can also be identified through automated alerts or alarms from special security controls, observations made by the information privacy officer, Information security officer, or others during the normal course of their activities, or as the result of ongoing monitoring or auditing.
Your organization should have policies and procedures for handling privacy complaints and security incidents. However, once you resolve the specific complaint or incident, your organization should include it, with other risks, in a database so you can perform a pattern analysis. This is yet another source of a triggered review. You may manage the complaint or incident as an isolated occurrence of an event until you recognize that there have been other such events.
Setting trigger thresholds
There are many ways to set trigger thresholds. The obvious is the sentinel event type, in which the incident is clearly a noncompliant action that you never want to occur. Others may be more controversial or difficult to determine. For compliance with the security rule, a good way to identify trigger thresholds is to use the risk analysis you perform in compliance with the security rule. This should provide some form of risk score or indication of where threats are highly likely to exploit a vulnerability and where the criticality of impact is very high.
Where an event has a high likelihood of occurrence (or probability) and high criticality, there should be a low trigger threshold. As you move down the scales of probability and criticality, you may set the trigger thresholds higher. For example, a high frequency of unsuccessful attempts to hack a network as shown through your intrusion detection system is a nuisance, but unless (and until) the hack succeeds, there is no actual noncompliant event. Alternatively, if hacks occur that are more deeply penetrating your protection and therefore are more likely to succeed (more critical), the threshold should be lower.
Once you identify the various risks, you can use this information not only to establish triggers, but potentially to identify where ongoing monitoring will begin and what audits you should perform.
Editor's note: The above article was adapted from the book Guide to HIPAA Auditing: Practical Tools and TIps to Ensure Compliance, written by Margret Amatayakul, RHIA, CHPS, FHIMSS. For more information or to order, call 877/727-1728, or go to www.hcmarketplace.com/prod-2206.html.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched