The mature compliance program components enumerated below are all included in our Subscription: (1) either in Expresso® (3LP’s SaaS compliance software); or (2) as part of our curated content library. They represent a comprehensive list of mature components that we developed since launching 3LP. The list is not intended to be exhaustive, but from 3LP’s perspective, represents the most mission-critical components of a mature compliance program. Under the HIPAA Safe Harbor Act, signed into law by President Trump in January 2021, having a mature program mandates the HHS/OCR consider leniency in civil monetary penalties (“CMPs”) levied due to a breach.
Privacy, Security, others Covered Entities (“CEs”) and Business Associates (“BAs”) must designate personnel responsible for certain HIPAA policies, procedures, and for answering questions about their notice of privacy practices (“NOPP”) in writing. It is recommended that these designations be placed in a workforce member’s personnel file. The titles of the persons or offices responsible for receiving and processing requests for access, restrictions, amendments, and disclosures, need also be designated and maintained, in writing.
Without these designations, and the proper training, your Workforce members will not be able to answer an Auditor’s Foundational set of questions, such as: (1) who is your Privacy; (2) who is your security officer; (3) who do workforce report incidents to; and do you even know what an incident is?
This is no trivial matter. The Rules require it and Auditors, for obvious reasons, consider it to be important. Notice that a simple requirement review would likely not help you anticipate these questions. OCR auditors are lawyers. To anticipate these questions, you need to think like a lawyer. Our Subscription provides model forms that help with these designations.
The naming of a Compliance Officer (“CO”) is required by both the HIPAA Privacy Rule and Security Rule (See citations below). The CO title should be added to the workforce member’s personnel file. In addition, the file should contain the CO’s job responsibilities and organizational chain of command.
Furthermore, the file should contain language indicating that the CO has been provided resources (e.g., staff, budget, etc.) to accomplish the designated responsibilities. The model compliance letter follows.
CO Responsibilities and Policy
Our Compliance Officer, the executive team, and all [YOUR COMPANY] managers are responsible for the enforcement of these Policies. It is our Policy to name an experienced Workforce member as our HIPAA Compliance Officer. We refer to this individual as our Compliance Officer (“CO”) because his/her responsibilities generally encompass more than the Security Rule (e.g. responsibilities may include the HIPAA Privacy Rule as well as compliance with state laws and regulations). Our CO functions as the point person for the executive team with respect to compliance enforcement.
It is our Policy to designate and maintain, always, a CO. This individual’s job description will be updated to reflect that the individual’s responsibilities include, but are not limited to, the following: (1) training members of our Workforce, including those members of our Workforce that require specialized training; (2) writing and/or reviewing all privacy policies and procedures and ensuring that they remain updated as per applicable law; (3) interacting with state and federal agencies and corporate counsel as required; (4) developing and enforcing our sanctions policy in collaboration with Human Resources; (5) investigating security incidents and notifying patients and other stakeholders of a breach when warranted by applicable law; (6) managing all security related breaches; and (7) otherwise administering our HIPAA compliance initiative.
Citations
Security Rule
http://www.hipaasurvivalguide.com/hipaa-regulations/164-308.php#a-2
Privacy Rule
http://www.hipaasurvivalguide.com/hipaa-regulations/164-530.php
Log into Expresso Home Page https://riskassessmentexpress.com
Your Program should apply NIST standards wherever applicable. If you have a Risk Management Framework (“RMF”) then it should have been derived either from NIST or some other internationally recognized organization that provides best practices. Much of your remediation documentation should be derived from best practices as well. For example, the HIPAA Safe Harbor Act (“Act”) requires HHS to consider whether organizations have implemented “recognized cybersecurity best practices” when investigating a Breach. HHS is required to be lenient with their civil monetary penalties (“CMPs”) if your Program has met all basic technical safeguard requirements. Under the Act. Our Subscription is based on NIST best practices.
The adage that “you can’t manage what you don’t measure” applies to every compliance initiative. If you cannot show an Auditor the status of your Program as it exists today, then you are providing them visible demonstrable evidence (“VDE”) that you have no means to monitor your Program in real time. 3LP Scorecards provide evidence that your Program is continuously being measured and therefore status may be readily determined.
The Scorecard is below.
If you can’t demonstrate a “single version of the truth” you won’t be able to quickly provide an Auditor a sense that compliance artifacts (e.g., policies, processes, training, etc.) are readily available to staff and readily producible to the Auditor. The Auditor is likely to assume that in fact there is “no single version of the truth” and that compliance artifacts may be scatted across devices if they exist at all. Before an audit OCR requires you to provide the latest version of compliance documentation and not a “compendiums of all entity policies of procedures (i.e., forget anachronistic “audit books”). Our single version of the truth is contained in Expresso®’s Docs module.
Without a robust Incident Management process there is no evidence that you can identify Breaches; therefore, your Breach Notification process is either non-existent, ad hoc, immature or you have purposely decided not to track Incidents. Why would you do the latter? Because having trained thousands of stakeholders and sold products into the compliance space for well over a decade, we are aware that many providers, of all sizes, simply decide to “deep six” small breaches. The last thing they want is to have a record of which ones were analyzed because that simply becomes fodder for an Auditor to review.
This strategy is simply too clever by half. For example, a highly competent OCR Auditor (and they are all highly competent) understands that ambulatory practices are small breach factories. The practice may often send PHI inadvertently to the wrong patient. Attempting to claim that you have had no incidents, let alone Breaches, over one to five years will be quickly detected for what it is, an outright lie.
An auditor will want to discuss your training: (1) how often it occurs; (2) what it consists of; and (3) whether you can produce VDE that it occurred. Where are your process results that show when Dr. Smith was last trained and what he was trained on? The Auditor will ask about Phishing training. Why? Because the latter remains the number one vector of entry for ransomware attacks in the healthcare industry writ large. Just “feel good dumbed down” pre-HITECH Act training will no longer suffice.
Is the Compliance Equation® met for each one of the Rules’ requirements? This is where the rubber meets the road, if you can’t show process results for each requirement then an OCR Auditor is going to assume that you don’t have the processes in place, and therefore you are violating the respective requirement(s). Policies (an organization’s intentions) + Processes (actualized in your organization that underpin the Policy) + Tracking Mechanisms (that capture Process Results) = Visible Demonstrable Evidence (“VDE”). All three elements are required with Auditors placing the most significant weight on the third. The NIST Risk Equation is depicted graphically below. It provides a grammar for calculating a Risk for any compliance regime. Analogously our Compliance Equation® provides a grammar for determining whether you are in compliance with a regime requirement (e.g. Policy + Processes that underpin the Policy + Tracking Mechanism to capture Process Results = Compliance).
An audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable your organization to get out in front of problems before they result in breaches (and other violations).
Both the Security and Privacy Rules mandate that you get “satisfactory assurances” from your business associates, and the latter from theirs. Satisfactory assurances mean more than having a BAA and less than yearly onsite inspections. The best practice that the industry has converged upon is sending out questionnaires and asking for additional reports. As you might imagine this is a tedious process, averaging about twenty (20) hours per vendor per year. It's not just a question of the hidden costs, which are considerable, but the manual ad hoc nature of the process is error-prone, potentially costing your organization millions in reputation damages if you get it wrong.
Governance is defined as the decisions and actions of the people who run your compliance programs. It is how the executive team controls risks by assigning risk management to various executives that possess subject matter expertise in a particular domain. For example, financial risk is usually assigned to the Chief Financial Officer; employment risks are assigned to the VP of Human Resources, Privacy and Security risk to the Chief Information and Security Officer, etc.
The challenge is that each one of these silos generally uses a different set of semantics for what a risk is and how it should be calculated. 3LP has adopted the NIST universal grammar for how a risk should be calculated, as identified in the graphic below:
This methodology for calculating the subjective value of a Risk provides a universal grammar that can be used with any compliance regime. For example, we have used it with Expresso® for GDPR, CCPA, and for a HIPAA Privacy Rule gap analysis. To have a mature program a risk should be calculated in the same way for the HIPAA Security Rule as it is for the HIPAA Privacy Rule. The same way for GDPR as it is for CCPA. NIST has done the heavy lifting with its grammar but unfortunately this grammar is not widely understood as having universal applicability and therefore has not been widely adopted. The challenge is that if each compliance does not agree on how to calculate a risk, then effective communication between becomes nearly impossible.
The same can be said regarding the Compliance Equation® as discussed above. The equation mandates the elements required to comply with any regime requirement, yet few recognize its universal applicability and therefore, like the NIST universal grammar for calculating a risk, it has not been widely adopted.
Words matter. Having a clear set of terms of art is an indication that an organization’s compliance program is mature.
As mature compliance program demonstrates that an organization is managing risks in a methodical rigorous manner. It provides a compelling message to an auditor that the organization takes compliance seriously, as required by applicable law. It also demonstrates that this commitment to compliance is valued by the organization, because without the support of the senior management team maturity cannot be achieved and therefore becomes nothing more than a meaningless platitude.
Finally, now under the HIPAA Safe Harbor Act, a mature compliance program itself is a recognized risk reduction strategy and helps the organization reduce or eliminate liability.