Hello All,
Well, the wait isn't over yet, and there I thought my last client message would trigger the release of the new final HIPAA regulation changes. Maybe this one will! I haven't heard any rumors of its being close either, so I'm starting to think we may have to wait into 2012 for the changes in regulations to be finalized for laws that went into effect in 2009 and 2010. Patience, Jim, patience.
But the news isn't all bad these days -- NIST has released its HIPAA Security Rule Toolkit (see http://scap.nist.gov/hipaa/ ) which provides a comprehensive (to say the least!) set of questions pertaining Security Rule compliance and a way to catalog and gather all of your supporting documentation of compliance, such as policies, procedures, and other actions taken in pursuit of good security practices.
The tool includes two surveys, standard and enterprise, with 492 or 809 questions, respectively. Now, that's a lot of questions to work through, even for the "lightweight" version. It's based on the HIPAA regulations and the HITECH expansions that are expected to be finalized Real Soon Now (and I thought only software companies had vaporware!) and the NIST guides for Security Controls and HIPAA Security Compliance, so it really covers the bases. Even if you only read through the questions, you can learn a lot about what the regulations require and how you might relate that to what you do.
So, don't think for a minute that the NIST Security Rule Toolkit makes compliance something you can knock off in an afternoon. You will best approach it by taking an hour to become familiar with it and how it works, then taking a day to read through the questions and start to think about how you'd answer them, if you can. Using the toolkit will be a project, and you will need to plan how to use it and the amount of effort you will put into it. For almost any entity, simply diving right in and answering questions will quickly show you what you don't know and can't document, and your progress will slow to a discouraging crawl. You are far better off just reading through it first, and then formulating your plan of attack, and it will take some time.
As you formulate your plan, look over the sources of questions that have been asked in the past in HIPAA Security Rule audits so you can see how you'd be able to answer those questions with the information collected in the Toolkit. See:
» 42 questions asked in first OIG HIPAA Security audit in March 2007 at http://tinyurl.com/2ac9jm.
» CMS OESS 2008 Interview and Document Request for HIPAA Security Onsite Investigations and Compliance Reviews, at http://tinyurl.com/27eakjz
» Questions asked of a small provider after a data breach involving theft of a laptop and server, at: http://tinyurl.com/3jpoa4p
But when you're done, you will have a great set of documentation that should make it possible to answer any audit questions that come your way, in case you're hit with a breach, complaint, or one of those nifty new random audits that are getting under way now.
Can the question sets be modified? Yes, if you're handy with XML, but a tool is not provided within the Toolkit itself. As I look at it, I might wish to "roll-up" some questions into fewer questions, as there is some overlap with this level of detail, so I suspect I'll check out what's involved with that in my free time, or, more likely, when a client decides it's worth having the questions customized to their particular situation.
Overall? Definitely not a panacea, and definitely worth including in your compliance arsenal, at least for its educational value. If you are already using a Wiki or a SharePoint server to organize your compliance documentation, you might just use the Toolkit to verify that you have what you need and create a list of things you need to do, but you can certainly make it the basis of your compliance documentation if you wish -- just know that the Toolkit, like compliance, is not to be taken lightly.
At this point, I think I'll say that I'd rather not see the new final regulations until after the holidays -- do you think that will cause their release on Christmas Eve?
I wish you all a safe and happy holiday season, with health and the companionship of the people you love.
Jim