Once upon a time, there was a successful but IT-naïve ophthalmic practice, whose leaders thought their HIPAA security measures had been fully researched, installed and hence impregnable. Staff members would glowingly reassure anyone that the practice’s HIPAA house was in order … until they were asked questions, like the name of their HIPAA security officer … or the number of disaster recovery tests the practice ran per year … or to see the HIPAA risk analysis or proof of workforce training and awareness.

While the practice had tried hard to attain and maintain compliance, it fell short because its major deficits — no IT management system and no HIPAA compliance management system — were its Achilles’ heels. Happily, they engaged the services of a competent consulting firm to review its efforts and to make recommendations. What follows is the story of how this unfolded.

A little agita

The path to true HIPAA compliance started when the practice racked up complaints from staff members in all of its departments: long outages that invited audits, trouble tickets that affected patient flow, billing complaints that impacted income, personnel tiffs that soured the work day because staff didn’t understand what a system was, nor how one process affected another process.

So, the practice partners did the only thing they could: They sought a second opinion. They hired an outside consultancy to perform discovery of their current state of IT management and HIPAA security compliance management. A central assumption was that a tightly-managed IT services portfolio would make HIPAA security compliance easier and less costly because IT management processes would naturally mitigate risks. But this was wrong. Because staff didn’t understand what defined a portfolio, let alone a system, the new consultants would need to make clear communication another important concern.

Another wrong assumption: There is nothing natural about reducing risk.

How efficient was anything related to IT management and HIPAA compliance in the practice?

Quick answer: They were in the “red” on both.

An important response

The partners wanted to drill down. They asked the consultancy to assess the following:

1. The HIPAA compliance management system
2. The Enterprise IT management system
3. The overall performance of the current systems

Phase one was discovery and data collection while in phase two the consultancy would present findings, make recommendations and prioritize remediation and corrective action projects.

What follows are examples of activities a consultancy might perform in a similar engagement. We have provided this in the form of a letter of engagement so the reader can experience the decision-making process the partners went through. (See sidebar on next page.)

It is always good to clarify any assumptions that either client or consultant might have. It is vital to describe, as much as possible, the scope of what will be done and how much it will cost.

After clarifying assumptions and scope, the client should hear details about the work to be performed. Below is an example.

The key takeaway from this section is acting, not reacting. The presence or absence of management processes is one thing, how well they are designed and executed are another. How often do you review your planned vs. actual when it comes to process execution, process enforcement and process management?

With discovery over, phase two begins. In phase two, the practice will learn the consultant’s findings, recommendations and the prioritization of remediation and corrective action projects.

Summary of discovery findings

Critical risk exposures were uncovered for both systems. There are no documented management systems or evidence that the practice has adopted, implemented or demonstrated conformance with industry-standard reference models, standards of practice or protocols, or legally mandated implementation standards for either system.

There is minimal documentation of:

• HIPAA Security Rule compliance (Gap Assessment used only one assessment tool and neglected to perform critical aspects of gap assessment procedures)
• Enterprise IT conformance to any industry reference model (ITIL, ISO, BSI, Microsoft Standards of Practice, etc.)

Conclusion: The practice’s enterprise and HIPAA compliance processes require a small number of triage interventions. In addition, mid- to long-term adoption of processes for quality management and operational management of both systems should be implemented once the top critical risks are addressed.

Recommendations

Risk mitigation defines IT management and HIPAA security management priorities. Since you cannot eliminate risk totally, you can mitigate by anticipating and addressing deficiencies. There are only four ways to address risk: You can avoid, transfer, accept or mitigate it.

Activate a HIPAA compliance management system technology platform and manage highest exposure HIPAA compliance risks as priority one projects.

Do the same with IT infrastructure exposures. This will include evaluating and selecting hosted software providers who offer HIPAA compliance management systems. We do not recommend an on-premise database that you install, which requires backup, updates, patches and so on.

Hosted Software-as-a-Service (SaaS) is the better option. These hosted applications are easier to acquire and are preconfigured with all the compliance management activities, tasks, recurring processes, policies and procedures, workforce training and awareness, and incident management that a HIPAA compliance program needs. They vary based on how scripted and prescriptive the HIPAA program is.

For example, some systems offer student areas, policy libraries, compliance officer communications and action plan outlines, but they do not actually notify managers if projects fall behind or if processes are undocumented. These systems assume that the practice understands compliance management very well and simply needs to centralize reporting and evidence collection of compliance. Other systems assume that the practice has very little compliance management know-how and provides guidance and notices, alerts and reminders so that compliance management becomes evergreen.

Actions to approve now

Engage interim CIO expertise to oversee high-risk to intermediate-risk projects. This person can:

• Assume prior CIO duties
• Assist IT oversight committee with oversight and management processes
• Co-present with committee to board during initial 90 day period
• Manage all IT and HIPAA solution provider relationships

Stand up two early-stage management systems (HIPAA and IT):

• Activate compliance technology platform — HIPAA health center with compliance coordinator services
• Implement IT lockdown — IT infrastructure hardening and hardware/software refresh of high-risk elements

Address biggest productivity, uptime, availability, confidentiality and integrity risks:

• Hardware
• Software — common off the shelf (COTS) and custom applications
• Networks
• Communication and phone systems

Approve interim CIO to work with IT oversight committee to prioritize and present project portfolio for approval.

Actions to approve next

Once the highest risk exposures are addressed, then it is safe to return to a systems review and remediation plan.

The goal is to maintain a state of continuous audit readiness:

• HIPAA audit readiness — ONC protocols (mandated compliance)
• IT audit readiness – ITIL protocols (voluntary conformance)

Fold the recommendation and remediation action plan phases of original engagement into this stage. Transition to systems approach to management of IT and HIPAA compliance.

Summary: A tale of two practices

It was the best of HIPAA; it was the worst of HIPAA (apologies to Charles Dickens). Two practices, A and B, get the same recommendations and findings. The implications of what they chose to do may seem familiar to you.

Practice A used the information on its status as a lever to change its approach to risk management and compliance management. Its IT director could defend direct investments in hardening the practice’s information management processes and positioning the practice against fines and future remediation costs.

Practice B decided to stay with the status quo, because, “What are the odds of being caught and paying the price?”

The board of directors continued unaware that the first incident would directly impact their wallets. The managing partners chose to delay or decline in hardening their IT assets and this replicated a pre-existing pattern of neglect. “Don’t invest, just react when it breaks. We’ll just find someone to fix it.”

The net-net is that a HIPAA compliance audit is unlikely; however, a HIPAA breach is very likely. Your primary goal when the breach occurs must be to prove, because of your preparation, that this incident was an anomaly. Willful neglect is a real offense.

Proactive processes

Decisions that you must balance boil down to this: A well-run, proactively managed IT department will provide the majority of the compliance preparation required by law without a lot of special investment on top of your IT costs.

Get your IT house in order with proper management processes and then backfill with compliance management processes that are specific to the regulation to which you must comply. OM

About the Author

Peter J. Polack, MD, FACS is co-managing partner for Ocala Eye, a multi-subspecialty ophthalmology practice in Ocala, Fla. He is also founder of Emedikon, an online practice-resource for physicians and administrators. His e-mail is ppolack@ocalaeye.com.