In Part 2: Understanding the HIPAA Assessment methodology, we talked about how we assess each part of the HIPAA Security Rule: Administrative, Physical, and Technical. In this part we’ll wrap up the series with what you should do after the assessment and how to use the results to improve your security and compliance.
Part 3: After the HIPAA Assessment
Your assessment should provide feedback on each standard and its associated controls. At the very least it should give you a pass/fail grade for each one. A good assessment will document what was found for each control, the shortfalls and impact of controls not met, a risk severity determination, and recommendations for improvement.
The risk severity rating for each control is a good way to prioritize remediation. By fixing the highest risk findings first, you can reduce the risk of breach quickly. But… be careful not to blindly look at risk for prioritizing. Some findings may be more easily fixed together than separate. If you blindly follow the risk prioritization model, you may miss a chance to more cost-effectively remediate a moderate or low risk finding along with a high or critical one.
If your assessor or consultant provides recommendations, use them! Experienced consultants can bring years and hundreds of clients worth of experience to bear for you. Use the success and mistakes of others to your advantage. We’ve seen many times where clients have viewed HIPAA too leniently or too strictly. These recommendations can be used to reset or set your expectations, as well.
I can’t emphasize this enough. The best way to start after a HIPAA assessment is with planning. Don’t just take the results and start making changes from them.
- Organize the recommendations and group them into remediation projects
- Assign these projects an owner to see them through to completion
- Set realistic expectations on timeframes and milestones
- Work toward those milestones and adjust expectations as necessary
- Project owners should regularly track progress by reporting to business owners or executives
Remember, security is a process, not an event. HIPAA isn’t a one time project you can complete, it’s an on-going program in your healthcare business. It does get easier over time, though. Once you understand HIPAA, understand your business’s level of compliance, and begin remediating the risks you’ll go from fixing big problems to just maintaining compliance. Don’t feel overwhelmed. Call for help!
Need a HIPAA Assessment?
Visit our services page to see how we can help
Contact us today for a free and confidential consultation.