HIPAA Compliance: All hands on deck
Submitted by Guest and Compliance Expert, Virginia B. Sizemore (CHC, CIA, MBA)

As virtually all compliance officers know, the September 24, 2014 HIPAA compliance deadline is upon us. The Office for Civil Rights (OCR) audits are already underway and it’s clear that previous audits will pale in comparison to the latest round. In addition to what was previously audited, the OIG Work Plan will call out several new exposure points, including HIPAA data security. It will be evaluating the security measures taken to protect the growing number of electronic patient records that are maintained by both hospitals and their business associates (BAs). A quick review of the “Wall of Shame” section of Department of Health and Human Services (HHS) website leaves no doubt that the financial penalties and civil penalties can be staggering.

Every hospital is at some level of risk and many are at very high risk without even being cognizant of their exposure. For that reason, every organization should be making HIPAA compliance and BA oversight a top priority. Compliance leaders need to engage with both board-level and C-level executives to get buy in on organization-wide initiatives to become “audit ready.” Board members and C-level executives are two separate and distinct groups and each needs to be approached somewhat differently.

With board-level executives and trustees, it is important that they see you as a trusted advisor. Ideally, you should be in front of your board often enough that you are able to develop relationships with them as individuals. Some of them may be health professionals, but most will be community business leaders in other industries. When working with board members, it’s best to avoid using healthcare jargon and keep your message high level. Try to weave a story together to make your point regarding risks and exposure. Anecdotal evidence from other healthcare organizations can be helpful in getting board members to understand the risks and identify with the issues. Especially helpful are stories involving very well-respected organizations.

With C-level executives, it is important to know your audience and understand that each executive has different areas of concern and responsibility. It can be helpful to strategically engage with their direct reports and enlist their help in getting on the executive’s radar. As with board members, avoid speaking technically or quoting laws and statutes. Instead, try to tell a story, be clear in asking for help and make sure your audience understands exactly what you are asking them for. Lastly, define the business risks in ways they can understand. For example, your chief marketing office will be more concerned about losing your “trusted community provider” status while your chief financial officer will be focused on threats to profitability or bond ratings along with increased insurance premiums.

By proactively engaging with C-level executives and board members and gaining their active support, compliance leaders can more quickly gain organization-wide alignment on HIPAA compliance and BA oversight.