For healthcare organizations and the businesses that support them, regulation and legislation too often turn into lawsuits and settlements. What’s happening to get you into trouble in the first place? How can you avoid the serious costs they bring – to the bottom line and to reputation? Here’s what we often see in a “from the trenches” perspective.
Policies & Procedures Misalignment
In other words, either you didn’t do what you said you were going to do, or you have serious gaps in what should be written down and followed. Here’s the thing about policies and procedures, they have to be accurate, yes, but they also should say what you will do, not just what you can do.
Do you say you’re going to test and check your firewall every 30 days? Better have that proof ready to show that you did it. Do you state that your mobile device use includes information security standards for mobile device hardening to protect PHI? Prove the steps you take – encryption, remote wipe capabilities, device tracking, etc.
If you don’t or can’t produce proof, and there’s a PHI breach, any legal action will include turning over privacy and security policies. You want to be able to do that with confidence.
Here are our Policy & Procedure Quick Tips, in a short video-format. Feel free to share.
Breach Incident, No Security Incident Response Plan (IRP)
Naturally, if you do experience a PHI breach, or any type of breach incident, you want to be able to take action. The thing that stinks is that even a not-so-bad breach can bring the wolf to the door, lawsuit-wise. At one point, if there was no proof of harm (e.g., identify theft), then there was a chance the courts may show leniency. That happens far less often these days. Especially when you can’t demonstrate that your security Incident Response Plan is reliable (or if you don’t have one in place).
Think about what the courts will want to see – or better yet, what a security risk analysis would reveal about your security IRP. Can you show that everyone knows what they’re doing and how they need to respond to a breach? If you’re not sure, talk to us about your security Incident Response Plan – we have a short motion graphic on that here:
Obviously, there’s no way to 100% guarantee you’ll never have a breach. What you can guarantee is that you have the right safeguards in place, that there’s a provably in-practice set of policies and procedures, and that when the breach did happen you had a super-viable security IRP to make things right as quickly as possible.
Written by Chris Apgar, CISSP, C|CISO of Apgar & Associates
Apgar & Associates deliver training webinars on regulations and best practices related to HIPAA, HITECH and cybersecurity issues. To learn how Apgar & Associates privacy and security expertise can help your organization, click here.
To access RMC’s Compliance Connections Newsletter Qtr 1 2021 in pdf format click here