So are most things that are really worthwhile - wouldn't you agree?
I just googled "hipaa compliance process" out of curiosity. My browser says there's "About 5,570,000 results."
That's fairly daunting. How do you do HIPAA compliance CORRECTLY with the time you've got every week, and the thousand or so other responsibilities you've got?
Here's my simple, easy, solution for you: Get started. Do something. And then keep doing something, regularly.
But please, please, please - don't stick your head in the sand. Audits are coming faster every day now, and PHI breaches seem to be almost inevitable, no matter the size of your practice.
And what's the first something to do?
I would suggest that you begin with the practical guidance from the HIPAA law itself - start with implementing a Risk Analysis Process.
Looking at the HHS's guidance on how to start compliance with the Security Rule here -
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf - their guidance is clear:
"In Summary
Risk analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI."
This is why, at Turn Key Health, we follow this Risk Management Process with our clients:
Step 1: Identify Risk Areas
Step 2: Assess Risks
Step 3: Create a Risk Management Plan
Step 4: Implement Risk Controls
Step 5: Re-evaluate & Measure
Step 6: Go to Step 1
I truly believe that Step 1 is the most important - take the time to thoroughly draw out EXACTLY where your ePHI is stored, where it travels, where it can be accessed, and draw the lines between those systems. This is the one time in your whole HIPAA compliance journey when you have my blessing to be really pessimistic and let your mind dwell on everything that could possibly go wrong.
"The following questions adapted from NIST Special Publication (SP) 800-66 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:
- Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
- What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
- What are the human, natural, and environmental threats to information systems that contain e-PHI?"
If you take your time and do a thorough job at this step, it will make you WAY more effective in the ensuing steps.
We've all heard the quote "
A journey of a thousand miles begins with a single step", right? (Lao-tzu, Chinese philosopher)
Let's get stepping! You can do this!
If you want to find out how we can make HIPAA compliance painless, visit us at
www.TKSHEALTH.COM