6. Train workforce members. The highest risk to any organization, they said, is people. If workforce members aren’t trained, the risk of violations and breaches of PHI significantly increases. “Organizations need to remember training is an ongoing process, and not a one-time event,” said Sher-Jan. Also, they added, training doesn’t just include “classroom training.” Instead, it needs to include training workforce members on what they’re responsible for in relation to the protection of PHI. All workforce members, they said, need to know the steps outlined in your organization’s policies and procedures before they will know that’s required of them. Lastly, they added, if you have business associated whose employees have access to PHI, they also need to be trained. 

7. Conduct a risk analysis and ongoing risk management. This will help to reasonably ensure you have the policies, procedures, and practices in place to implement a robust privacy and security program and handle incidents in compliance with the interim final breach notification rule on an ongoing basis. According to Sher-Jan and Apgar, you should identify your high-risk assets and ensure that risk analysis for these assets is current. Assets should include technical and non-technical assets that are critical to your organization. This means certain critical business or clinical processes, for example, need to be included in your asset inventory. Remember, they said, that risk vectors evolve, and so should your ongoing risk management.

8. Document mitigation activity. Both Sher-Jan and Apgar agreed that one needs to demonstrate continued compliance activities of an organization, which “again, is not a ‘one time’ event.” It’s unlikely, they said, any organization can prevent all unauthorized access or exposure of PHI, but, it’s important to show you’re committed to protecting PHI. You can do this by documenting your incident discovery, response, and mitigation activities, they said. 

9. Conduct periodic audits. And this isn’t just a regulatory requirement, they said – it’s an important activity to address potential privacy and security gaps, while identifying security incidents before a significant breach occurs. A proactive audit, by internal resources or qualified vendors, can be very instrumental in detecting compliance gaps and reducing risk to the organization, while avoiding the unwanted scrutiny that comes with an actual OCR audit or investigation, they said. 

10. Seek assistance from knowledgeable vendors. It’s helpful to get an outside perspective and specific expertise when preparing for or conducting an audit or evaluation, they said. A knowledgeable vendor can augment your limited resources and provide the third-party credibility that can be leveraged with federal auditors. 

Follow Michelle McNickle on Twitter, @Michelle_writes