Home

  • Home
    • » e-Newsletters

Monitor the health of your HIPAA security compliance: Check in on your security compliance with 'The Monthly Checkup'

HIPAA Training Advisor, January 10, 2008

by Kate Borten, CISSP, CISM

If you are responsible, directly or indirectly, for your organization's implementation of HIPAA's security rule requirements, you are probably aware of how much work still needs to be done. The reality is that compliance and security officers know their privacy and security programs have gaps, sometimes significant ones, but senior management is reluctant to allocate time and money because it no longer considers HIPAA compliance to be a priorityFortunately, there is a simple but effective security and privacy measure that doesn't require any budget outlay and has a minimal effect on managers' time.

The monthly security checkup is a procedure that each department should follow. Using a simple checklist, the surveyor-a manager or supervisor-walks through the area, looking and listening for security and privacy concerns. If the surveyor identifies any, he or she records them on the checklist. Examples of problems include conversations the surveyor hears that should have been kept private, computer workstations that staff members have left logged on and unattended, and passwords posted in clear view.

The following are suggested steps for putting this process in place:

  1. Get support from the top. You'll need it because you'll be asking managers to take on a new task. Even though the survey process is simple, it's one more responsibility. Be sure senior management understands the significant benefits in relation to the minimal effect the checkup will have on managers. You'll also need support from the top if you find some surveyors to be less than cooperative; surveyors must be held responsible and accountable for performing this task fairly and thoroughly.

  2. Request that each senior manager identify, for his or her department or division, each survey unit (the physical space), as well as the associated manager who will be performing the surveys.

  3. Document the surveyor procedure. Include the frequency of the survey and time frame for performing the survey and returning the form. Be sure to require a returned form even if the surveyor finds no problems.

  4. Meet with the assigned surveyors to explain the process. Hand out the procedure and the checklist. Walk through each item on the checklist and explain what it means and why it is important to security.

  5. Kick off the first survey, making sure the work force knows what is happening and understands the benefits of the security checkup.

Periodically, the security and privacy officers should perform surveys themselves, using the same checklist, to validate the results submitted by surveyors. The security officer, or whoever is overseeing the security checkup process, will need to develop his or her own process for reviewing the survey results, taking steps to follow up on specific instances when necessary, aggregating the information, and performing trend analyses. The security officer should summarize and present the results to the organization's privacy and security committee and senior management. A trend toward better security practices should be evident in no time.

Editor's note: Borten is president of The Marblehead Group in Marblehead, MA. Her consulting company focuses on privacy and security assessments, regulatory compliance audits, and program development guidance to clients across the healthcare industry.

Most Popular