If HHS or another regulator knocked on your door today – would you “pass” the audit?
On April 29, 2015, HHS (Dept. of Health and Human Services), OIG (Office of the Inspector General), HCS (Healthcare Compliance Association) and AHLA (American Health Lawyers Association) along with other industry leaders released a first of its kind joint collaboration education resource entitled “Practical Guidance for Healthcare Boards on Compliance Oversight” providing helpful tools for identifying risks, preparing for audits and responding to incidents. The document provides diverse tools and insights to governing boards, compliance officials and those reporting to them. Recognizing there is no uniform approach to compliance – no “one size fits all” approach, this multi-faceted guidance document will be a valuable resource for organizations both large and small to evaluate the scope and adequacy of their compliance programs.
In addition to asking the right questions of the right people to evaluate the risks posed to an organization, having an incident response plan before it’s needed is one of the best ways to ensure an organization can effectively respond to and recover from a security incident. Working with qualified legal and other professionals with strong compliance experience is one of the best ways to avoid problems.
This guidance emphasizes the importance of organization-wide accountability and offers decision makers a variety of tools to evaluate the effectiveness of policies and procedures within their organizations. The guidance – I believe correctly – concludes that asking the right questions is critical to staying ahead of problems.
The DOJ (Dept. of Justice) has also just released its guidance document entitled “Best Practices for Victim Response and Reporting of Cyber Incidents” providing practical advice for fending off and responding to cyber attacks. Offering guidance on what businesses should do before, during or after a cyber attack, DOJ outlines what’s expected in the event of a security incident, including the preservation of evidence and cooperation with their investigations.
As more and more healthcare and other entities are affected by illegal intrusions, these guidance documents offer practical advice for protecting against the ever present risk of cyber attack. An organization’s risk analysis (or lack of one) is a primary area of focus for regulators – knowing insufficient analysis to be the single, biggest culprit behind many known breaches. The absolute worst time to develop a breach response plan is after an attack – having the right people, processes and resources in place before it’s needed puts every organization in the best position to respond and successfully recover from a security breach.
With more than a decade of experience helping companies prepare for and respond to regulatory audits and security incidents, we welcome your inquires on how we can help.