We always talk about the need for a culture of compliance or culture of privacy and security. Today we talk about 6 things you notice when you have built a culture of compliance. The 6 comes from 3 x 2 which means there is clearly no rhyme or reason for the selection today. These can be goals because we see them as 6 signs of HIPAA program maturity.
If you are putting in the work you should see things changing. These are the signs we expect to see when a program is working and the organization is fully engaged in the privacy and security program. These could be seen as the goals of your program. Here is our list of where you want to take your privacy and security program when considering the overall program maturity.
1 – Staff Engagement. One of the first things we see change when the program starts to work is staff reporting things and asking questions. Things that happened 6 months ago start bubbling up. The activity is a little overwhelming to compliance officers who are there for the transition from check-the-box to culture of compliance.
Your training programs keep the concern for privacy and security top of mind which makes them take note of strange things or things they have done for years but now see there could be a problem. The alertness of your staff is your best line of defense you get to enjoy when your workforce gets training that isn’t the once a year HIPAA rule review.
The majority of the workforce does not complain about HIPAA privacy or security. In fact, now they get the whole “patient care” quote and pay attention to who is discussing patient information and with whom. They even self-police so that they remind each other of their obligations, policies, and procedures.
Patient access to information is considered a primary requirement of patient engagement and an extension of patient care. Concern for the well being of patients includes concerns about information being in the wrong hands and information being in the right hands as soon as it can get there. Patients are actually asked if they are ok with disclosures without someone making it sound like some stupid question I need to ask.
HIPAA program maturity will be seen by anyone that enters your organization if your staff is engaged and your success will be dramatically increased.
2 – Leadership Engagement. Leadership is fully engaged with the program meaning they show up to training sessions, ask questions before taking action, review risk management progress in the monthly business meeting, make sure that there are resources assigned to the program, asks about vendor’s capabilities, and well, you get it. When leadership is engaged everyone pays attention to privacy and security issues.
When leadership is engaged they serve on the compliance team and/or the incident response team and participate as other team members do. Your business meetings include discussions of privacy and security implications of the decisions being made.
Most importantly, leadership doesn’t disparage the program or try to avoid doing the training and work as much as possible. If they do then leadership teams also have to self-police to make sure there is a combined front setting a direction that privacy and security really is of great concern to your organization. You know that phrase we always see in the breach notification letters about how much we do care about your privacy and security concerns? You actually say it on a regular basis and live that sentiment on a daily basis not just when there has been a breach and everyone feels like they are in trouble.
HIPAA program maturity will be seen by anyone that enters your organization if your staff is engaged and your success will be dramatically increased. Like all messages, the most important ones are sent from the top down and those are the ones even outsiders tend to hear and see within your organization.
HIPAA program maturity will be long term and more effective when leadership is concerned and engaged which makes all the other parts keep on track.
3 – Team Engagement. Reporting and reviews are done regularly by the assigned compliance teams to keep a finger on the pulse of your organization and the protections you have in place. Someone actually reviews the information and ask questions.
Assessments and risk analysis are not chores, they happen naturally when your engaged leadership or workforce members ask in another meeting “Does this have privacy or security issues we should pass on to the compliance team before we implement these changes?”.
Your IT team works with your compliance team to make sure things are properly documented and what is being done on the technical side actually follows written policies and procedures.
HIPAA program maturity will be seen when a question about the privacy or security of PHI is asked and someone will know the answer or know where to find the answer or know who to call about the problem. An engaged team will be proactive in finding problems and making sure patches are handled and 2FA is installed before there is an email account compromised. Your team will hear about others problems and say “really glad we handled that with X”
4 – Incident Response Team. You have a real team that meets periodically and discusses what is needed. You do tabletop exercises and figure out how your team would respond in detail not just a very general five-minute discussion. Real tabletop exercises include someone throwing a wrench in from time to time on the story of what is happening as the exercise progresses.
The team has tools that allow them to communicate properly with each other during a crisis. Staff and leadership all know who are the major players on the team and who to notify if they see a potential problem that should be investigated.
HIPAA program maturity will be seen whenever someone sees a problem they know who to call. Who ya gonna call! The team knows exactly what to do which saves time, resources, and money in the long run while, most importantly, protecting patients faster.
5 – Training. Not the training that is once a year telling you what HIPAA says. You may still do that as part of the process but you have training that mentions the why of HIPAA and the how and why of security. Your training is happening regularly with tools like phishing tests and National Cybersecurity Awareness Month and National Privacy Day events.
Your teams are learning to embrace things at work and take them home to protect their children, home networks, and where they share private information. Your patients (or clients) notice posters, signs, and discussions about privacy and security that aren’t just obligatory HIPAA signs that haven’t been updated in 10 years.
HIPAA program maturity will be seen because everyone is aware of privacy and security importance in their job every day. It is part of discussions in planning meetings and day-to-day tasks. Training isn’t a once a year thing that people dread, hate, and blow off because it is boring and the same information over and over. Now, phishing tests make everyone compete or give each other a hard time if someone falls for it.
6 – Documentation. You don’t panic at the thought of someone asking you for your HIPAA program documentation in a few days. Not only do you have it but you actually know where it is kept! People can actually get to the policies and procedures to confirm information or address something that isn’t often handled in normal processing.
Staff will actively supply their training documentation when they get HIPAA training such as, oh maybe, listen to the Help Me With HIPAA podcast. Remember, from our app you can email yourself a pdf that has the show notes neatly formatted for your training documentation.
Work that is being done regularly is actually being noted on your systems by others so you aren’t following up and asking questions about what happened or didn’t happen a year or two ago.
HIPAA program maturity will be seen because you know what is happening and you can prove it if someone asks you to “show me the money”.
As you may note, none of these mention things like running scans and doing patching and passwords vs passphrases and all the other things people usually start telling you about their HIPAA program. It isn’t the technical tools that make your program mature and functional it is always all about the people. It’s the people, people was one of our very original episodes. Nothing has changed no matter what malware is out there or how the ransomware attacks have been growing or what the bad guys are after. If your people are engaged and understand what is important is protecting your patients (or clients) and your business then you have a program that works.