Home Health & Hospice Week

Pointer: Make sure your suggestions take operations into account.

HIPAA compliance is important to your agency’s regulatory and financial health, but how can you make sure it isn’t shunted to the back burner?

This is a very common question. IT expert Bob Chaput provides the following suggestions in a recent blog post for Clearwater Compliance:

1. Get a friend on the executive team. If you’re responsible for HIPAA compliance but not a member of the top brass, align yourself with someone on the executive team. Try to secure a friend in the “C-suite” who understands risk management, such as your organization’s legal counsel, CFO, or COO, Chaput suggested.

2. Don’t harp on “compliance.” When you’re talking with management about risk, talk about “patient safety” and “quality of care” instead of “compliance,” Chaput recommended. “Talk about how the confidentiality, integrity and availability of health information is critical to patient safety and quality of care.”

3. Set up a risk management oversight council or committee. According to Chaput, the council or committee should be responsible for:

• Providing strategic direction relative to risk philosophy;

• Establishing the authority, responsibility and accountability of the risk management program;

• Setting the organization’s risk appetite;

• Understanding the level of risk in the org-anization and the impact of the consequences;

• Approving initiatives to reduce or mitigate that risk;

• Ensuring adequate resources to achieve in-itiatives;

• Providing high-level support for initiatives;

• Being aware of compliance issues and re-mediation; and

• Ensuring risks are managed appropriately.

4. Establish a risk management working group. According to Chaput, this should be a cross-functional group that’s responsible for:

• Implementing an effective coordinated risk management program, ensuring documented policies and procedures, training the workforce, determining sanctions for violations, establishing incident reporting procedures, and managing Business Associates.

• Mitigating gaps or weaknesses uncovered during compliance assessments and/or risk analyses.

• Keeping the oversight council informed on results and mitigation activities, as well as regulatory changes, trends in incidents and/or breaches, re-sults of compliance audits, workforce training, and progress on remediation plans.

5. Align your recommendations with bus-iness strategy. Ensure your recommendations will improve the protection of health information but won’t disrupt operations unnecessarily, Chaput recommended. “Focus your compliance and security recommendations on ensuring customer trust and creating a competitive advantage.”