Culture of compliance is the phrase OCR uses when defining what they are looking for in an audit or investigation. They also use the phrase robust compliance program in the same manner. Using these steps is a great way to make sure your organization is following their lead.
7 steps to improving your Privacy & Security policies and procedures and nurturing a Culture of Compliance:
Designate a Compliance (Privacy & Security) Officer
First, the law requires you do this. But, if no one is in charge then nothing will happen, we all know that to be the case. Or, in a vacuum of leadership someone else will take charge and handle things the way they think they should be done without the support of management.
Train and educate your staff and BA partners
Constantly restating the same information over and over in a variety of ways may be annoying to some but that means they have heard it! Also, don’t forget to work with your BA partners to confirm they actually understand what HIPAA compliance requires in their organizations.
Implement an ongoing Compliance maintenance solution
This is what we talk about using tools such as ComplyAssistant, Spher, and professional MSP monitoring and management applications. Either use the tools or develop manual internal controls and processes to accomplish those same documentation and audit tasks on a regular basis.
Conduct regular and complete audits and monitoring of all ePHI systems If you are ignoring it then so will everyone else in your organization.
Monitor and respond to Incidents in a timely manner (State & Federal regulations)
We all freak out together as soon as we know something could havehappened to our PHI.
Adhere to a strict breach remediation protocol
Define your breach plan and use it every time. After any case that it was used, then review it to make sure you don’t need to change or add things in the plan.
Create a open line of communication for management and staff
The law requires you to never retaliate towards any person who files a complaint or reports a problem including a breach. If you don’t make it clear that you fully support that rule and all workforce members are free to ask any question, file any complaint, and report any concern then you will likely be missing things just because someone was afraid to tell.