5 Things To Do Before Year’s En

It is hard to believe another year is coming to an end. It is time to review 2017 and plan for 2018.  That means it is time to make your list of 5 Things To Do Before Year’s End. Just in case you need some help with that list, we made one for you!

HIPAA For MSPs by J. David Sims 5 Things To Do Before Year's End
00:00:00 00:00:00

A nurse hits on a patient after getting a phone number from the EHR.

Before we get started on our 5 things to do before year’s end list, David has one of those OMG stories to share from the world of HIPAA and improper uses and disclosures.


pasted image 0 1

Today’s topic

5 Things To Do Before Year’s End

1. Review Risk Management (How did we do this year?)

  • Have you documented and stored in your compliance documentation system all the project details from this year?
    • Remember, if it isn’t documented it didn’t happen.
    • Pull some random documentation you do have on file to confirm things are being done and audited properly.
  • What high-risk gaps have been closed this year?
    • Showing improvement is your constant objective where risk management is involved.
  • How did you do in meeting your goals for the year?
    • You may have time to finalize some things that just got set aside earlier in the year if you catch it in time.
    • What areas should get extra attention for next year based on their progress this year?
  • Have all of your vendors been processed properly in your BA management plan?
    • High-risk vendors should have done or updated a BA due diligence questionnaire.
    • New vendors should have been evaluated to determine their BA status and risk level if they are a BA.
    • Confirm that new vendors that should have BAA in place do have one and it is finalized and stored in your contract management system.
    • Remember to document you did this review!

2. Goals (Based on this year what do you need to do differently next year)

  • Mini Risk Analysis may be required for new technology or changes to your workflow.
  • Training calendars were set but how did you do in accomplishing it.  Should it be done differently this year
  • Calendar for reviewing, updating or creating P&P was part of your original plan.  Did that work well enough for you to use the same approach next year?
  • BA reviews (verify their compliance and BAA is in effect)
  • Set S.M.A.R.T. goals for 2018 based on your progress in 2017.
    • Specific
    • Measurable
    • Achievable
    • Results-Focused / Realistic / Relevant
    • Time-Based

3. Planning desktop reviews for IRT/DRBC, training and security awareness activity for 2018

  • Set dates for training sessions now so that your entire team can be present for these sessions.
  • Set dates for desktop reviews of your plans with different sections of the team or the team as a whole.  If you don’t review it then you won’t be prepared to execute the plan.
  • You don’t have to know specifically what you are going to do on those training and meeting dates.  The objective is to just get them on everyone’s calendar so they know they have to be there well in advance

4. Budgeting for projects and tech refreshes you may need

  • The IT Transformation Health Care Needs article by the Harvard Business Review made some interesting points on the planning for technology in healthcare.
  • In the article the section relating to using IT and data analytics they made the point that it was much more effective if healthcare organizations would begin “prioritizing quality improvement over cost cutting”.
  • Their study found that spending on the big ticket security technology items didn’t create as much ROI as expected.
  • However, electing to spend nothing wasn’t the solution either.
  • As with anything else, investing in solutions that actually show improvements in security and privacy is much better than big spending or no spending.

5. Tech Review

  • Review your list of assets that you have added or retired.
    • Desktops, Servers, Laptops, Phones, Tablets, IoT that have been brought into the ecosystem or removed from it over the year should be documented clearly.
    • Are the proper maintenance subscriptions still in place for all critical hardware and software applications?
  • Critical applications should be evaluated for upcoming needs.
    • Are your big upgrades addressed or do you need to plan for the next year
    • Has your admin level staff reviewed all the updates that have happened this year?
    • Have all your users been removed or disabled that were terminated?
  • Security tests and reviews of all of the infrastructure.
    • Network
    • Wifi
    • Endpoints
    • Portable storage
    • Cloud storage and servers
  • Disaster Recovery / Business Continuity
    • Are backups happening?
    • Are backups being tested?
    • Do you know your recovery time?
    • Review your DR/BC action plan to confirm no changes are needed.
  • Ensure IT is involved
    • Do they know everything about your environment that may have changed?
    • Don’t assume, verify what your IT team knows
    • If outsourced IT, is it time for a compliance review of their business?

Once we finished the list it became more than we first anticipated.  Some of this may run into the beginning of the year activities.  Regardless of whether it gets done before year’s end or in the new year, this is an exercise that should be done.  The process will provide the things you need to confirm, improve and maintain your compliance program.