certification,Clearwater Compliance,Compliance assessments,electronic protected health information,ePHI,HIPAA,Information Risk Management,IRM,National Institute of Standards and Technology,NIST,OCR,Office for Civil Rights,Phase 2 Audit Protocol
Controls-based “checklists” and dubious certifications will not adequately protect a healthcare organization’s sensitive digital assets. What will work is a formal Information Risk Management (IRM) program designed to grow more effective and mature over time.
Two documents from the Office for Civil Rights (OCR) reveal what the HIPAA regulatory arm of the federal government believes are appropriate for determining an organization’s level of compliance and information security as required by HIPAA: the Phase 2 Audit Protocol that covers all three HIPAA regulations and OCR’s Final Guidance on Risk Analysis, which is specific to the HIPAA Security Rule and information risk management.
You should consider this OCR guidance when looking for tools to determine your current level of compliance and information security. These directives can also serve as a prioritization plan for remediating weaknesses and a project management tool for tracking remediation progress. The ability to document improvement in IRM compliance over time provides the evidence regularly requested by OCR – and the lack thereof can result in increased fines and penalties.
Here’s what the two OCR documents require: