Health Information Management

Use triggered reviews in your HIPAA privacy and security rule compliance assurance program

HIM-HIPAA Insider, January 30, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

At the core of your privacy and security compliance assurance program is the process by which you measure and analyze practices and events in order to take corrective actions. The process, referred to as auditing, comprises many methods and tools, depending on what you measure and analyze.

Triggered reviews
Triggered reviews are one data collection method you can use in a HIPAA privacy and security rule compliance assurance program. Triggered reviews are based on threshold levels of incident occurrences. You perform further investigation once an incident reaches that threshold. You can set the threshold for a single event or multiple occurrences, usually within an established time period.

Some organizations distinguish among actions, events, and incidents to help describe differences among processes performed without an associated compliance value (i.e actions), aberrations that are or could lead to noncompliance (i.e. events), and those that are sentinel in nature (i.e. incidents) that are truly noncompliant occurrences.

Triggered reviews respond to and manage events or incidents that you indicate. They differ from ongoing monitoring primarily in that there is an event or incident that is a noncompliance matter. Ongoing monitoring tracks actions that do or do not occur to pinpoint which may become events or incidents.

Sources of incidents
Sources of incidents include privacy complaints and security incidents. Event occurrences that may lead to incidents can also be identified through automated alerts or alarms from special security controls, observations made by the information privacy officer, Information security officer, or others during the normal course of their activities, or as the result of ongoing monitoring or auditing.

Your organization should have policies and procedures for handling privacy complaints and security incidents. However, once you resolve the specific complaint or incident, your organization should include it, with other risks, in a database so you can perform a pattern analysis. This is yet another source of a triggered review. You may manage the complaint or incident as an isolated occurrence of an event until you recognize that there have been other such events.

Setting trigger thresholds
There are many ways to set trigger thresholds. The obvious is the sentinel event type, in which the incident is clearly a noncompliant action that you never want to occur. Others may be more controversial or difficult to determine. For compliance with the security rule, a good way to identify trigger thresholds is to use the risk analysis you perform in compliance with the security rule. This should provide some form of risk score or indication of where threats are highly likely to exploit a vulnerability and where the criticality of impact is very high.

Where an event has a high likelihood of occurrence (or probability) and high criticality, there should be a low trigger threshold. As you move down the scales of probability and criticality, you may set the trigger thresholds higher. For example, a high frequency of unsuccessful attempts to hack a network as shown through your intrusion detection system is a nuisance, but unless (and until) the hack succeeds, there is no actual noncompliant event. Alternatively, if hacks occur that are more deeply penetrating your protection and therefore are more likely to succeed (more critical), the threshold should be lower.

Once you identify the various risks, you can use this information not only to establish triggers, but potentially to identify where ongoing monitoring will begin and what audits you should perform.

Editor's note: The above article was adapted from the book Guide to HIPAA Auditing: Practical Tools and TIps to Ensure Compliance, written by Margret Amatayakul, RHIA, CHPS, FHIMSS. For more information or to order, call 877/727-1728, or go to

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular