MRO recently hosted a webinar titled “Developing Best Practices from OCR Audit Protocols and Issue Resolutions” as part of our three-part webinar series on privacy and security. The presentation began with a review of the first webinar in the series, “Lessons Learned from OCR Enforcement Actions.” This set the stage for the discussion of Best Practices that have resulted from the HIPAA Audit Program and resolution agreements.
Developing Best Practices
Most of us have a sense of what is good practice, but this depends on an organization’s perspective, so it is important to understand and document Best Practices that may be developed in response to an event or situational analysis. (Situational analysis is the review of published privacy or security incidents.)
To become a Best Practice, there needs to be theory and research to base and inform its creation. Reflective practice results in Best Practices, thus why audit programs are needed. Audits incorporate the notion that practice is adjusted following the feedback of the audit/evaluation process.
Part of threading Best Practices into your organization is reviewing the audit evaluations that support and reinforce these stated processes into existing practice. You might find that practice has been updated, but the related policy has not. It is important for policy and practice to correlate. When you find that there is a difference, you must determine what the correct statement is, and update documentation accordingly.
Paramount to success of Best Practices is:
- They must be proven across a range of circumstances, allowing for critical thinking to be applied to each unique situation.
- Simplicity is required. If people can’t understand the practice, implementation will not be successful.
- Make them accessible and available for utilization by sharing them. If there is a lot of new information and/or a complete change in process, then education is critical.
Best Practices Based on OCR Enforcement Actions
During our presentation, we reviewed several HIPAA settlement cases, which resulted in an understanding of Best Practice developed through consideration of known facts. Here are some key lessons learned.
- Require Business Associate Agreements (BAAs) with any vendor or third party that has access to Protected Health Information (PHI).
- Conduct a risk assessment, followed by thorough analysis of those findings, which would include a project plan schedule for mitigation and/or re-evaluation to accommodate budgetary limitations.
- Management of identified risks is paramount, which includes the documentation of all discussions and mitigation efforts.
- Ensure the workforce is aware of external and internal threats, and escalation of privacy or security events via appropriate reporting channels.
- Be certain that system patches are applied in a timely manner.
- Pay careful attention to disposal of information. The case of a facility which failed in this area was highlighted in our presentation.
- Ensure incident response plans are in place, and maintain overall governance of the program.
To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 2: Developing Best Practices from OCR Audit Protocols and Issue Resolutions.