In the healthcare industry “Vital Sign” monitoring is crucial to detecting patient deterioration. Likewise, in the healthcare regulations industry (HIPAA privacy and security), a similar metaphor may be “Vital Sign” compliance monitoring is crucial to detecting corporate compliance deterioration. We discuss “Vital Sign” measurements below as a method to improve compliance health.
Background. Medical “Vital Signs” reflect essential body functions, including Body Temperature, Pulse Rate, Respiration Rate, and Blood Pressure. Monitoring for early warning signs of impending deterioration is the goal. If deterioration is detected, a rapid response team is activated, and evaluation and intervention is deployed to prevent further clinical deterioration.
It’s this writers opinion, that HIPAA Compliance requires similar monitoring i.e. “Vital Signs” of a healthcare related organization’s Data Governance and Stewardship, Policies and Procedures, Business Associates, and Risk Analysis for early warning signs of impending compliance deterioration. If deterioration is detected, a rapid response team should be activated, and evaluation and intervention deployed to prevent further compliance deterioration.
Data Governance. Establishes the broad policies for access, management, and permissible uses of data; identifies the methods and procedures necessary for the stewardship process; and establishes the qualifications of those who would use the data and the conditions under which data access can be granted. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4899064/
Data Stewardship. Denotes an approach to the management of data, particularly data, however gathered, that can identify individuals. Data stewardship can be thought of as a collection of data management methods covering acquisition, storage, aggregation, de-identification, and procedures for data release and use. The concept of a data steward is intended to convey a fiduciary (or trust) relationship with data and data manager whose loyalty is to the interests of individuals and entities whose data are stored in and managed by the system. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4899064/
Policies and Procedures. Generally, policies are guiding principles used to set direction in an organization to support data governance. Procedures are a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. As a document, policies and procedures establish guidelines, purpose, scope, roles, responsibilities, and coordination among organizational entities to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements.
Business Associates. To ensure data governance is managed across the spectrum, the HIPAA Privacy Rule allows a Covered Entity (Defined as a health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered under HIPAA) to disclose Protected Health Information (PHI) or Electronic Health Information (EPHI) to vendors, referred to as a “Business Associate” if the Covered Entity obtains satisfactory assurances that the Business Associate will use the information only for the purposes for which it was engaged by the Covered Entity, will safeguard the information from misuse, and will help the Covered Entity comply with certain of the Covered Entity’s duties under the HIPAA privacy, security and data breach rules.
Likewise, the HIPAA Security Rule provides that a Covered Entity may permit a Business Associate to create, receive, maintain, or transmit EPHI on the Covered Entity’s behalf only if the Covered Entity obtains satisfactory assurances by entering into a contract with their Business Associate, referred to as a Business Associate Agreement (BAA).
Risk Analysis. A final “Vital Sign” under HIPAA, requires that both Covered Entities and Business Associates adopt HIPAA privacy, security, and data breach standards, including the implementation of reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of healthcare information. Specifically, the Security Rule requires Covered Entities and Business Associates evaluate risks and vulnerabilities in their environments and to implement policies, procedures, and technologies that are appropriate for the organizations size and structure to address those risks and vulnerabilities. In particular, the HIPAA risk analysis regulatory standard, C.F.R. § 164.308(a)(1)(ii)(A) Risk Analysis, requires Covered Entities and Business Associates to – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the Covered Entity or business associate.
Conclusion. Actively monitoring HIPAA compliance “Vital Signs”, including Data Governance and Stewardship, Policies and Procedures, Business Associates, and Risk Analysis, offer core measures that if systematically applied prevent compliance deterioration.