As mentioned in Health Data Management article “How to keep the top exec up to speed on security issues,” there are three aspects of the Security Rule that should be distilled into meaningful executive reports: Administrative, Physical, and Technical Safeguards.[i] The security rule regulations provide standards for the protection of electronic (and paper) protected health information (“PHI”). An executive summary should identify not only compliance with the regulations but also gaps where additional attention should be focused. Where are the gaps in your protection of PHI? Is your organization in a state of possible WILLFUL NEGLECT?
The Security Rule's Administrative safeguards describe an organization’s actions, policies and procedures to manage development, implementation and management of security measures that protect PHI. They also describe required actions of the organization’s workforce related to protection of PHI. Physical safeguards are the procedures and policies related to buildings and equipment that protect PHI from natural and environmental hazards as well as unauthorized intrusion. Finally, Technical safeguards are the policy and procedures for use of technology and its protection with controls that prevent unauthorized access.[ii]
An assessment is required prior to developing an executive status report on the security of PHI. Identifying and understanding risks is the first step. Eliminating or mitigating risks closely follow.
Simply put, executives want to know two things… First, they want to know if there are risks that have not been mitigated. What are they? How can they be exploited? What is being done to “plug the hole.” Second, they want to know the status of mitigation efforts. Have these efforts been tested? Are they sufficient? Do they require improvement? What plans have been enacted to verify, test, and ensure operational success in the event of an exploited vulnerability and threat?
Finally, what is the status of your compliance with the regulations? I like the example in the article of the threat and vulnerability of PHI due to a natural event such as a Hurricane. Living in Florida I have experienced several. The Compliance Officer and supporting technical staff are likely the individuals preparing the executive summary report and that should focus on the most important items, not an enormous list of issues. As mentioned earlier, this executive (one-page) summary should be brief and to the point. What is the status of compliance? What tasks are in-progress? What is the date at which known risks will have required policies, procedures and mitigation available? Who are the individuals responsible for its execution?
Reporting on the status of PHI protection is not a once-and-done event; it is an activity that should occur at intervals and updated as necessary. Key factors reported by KLAS for 2016 include Secure Communication (Secure Communication 2016: Vendors Transitioning to Secure Communication Platforms) and Interoperability (Interoperability 2016: From a Clinician View - Frustrating Reality or Hopeful Future?)[iii]. Not only are changes in technology evergreen, but so is the data associated with PHI.
[i] Bowen, Chris. "How to Keep the Top Exec up to Speed on Security Issues." Health Data Management. Source Media, 15 Nov. 2016. Web. 16 Nov. 2016.
[ii] "CFR 45 Part 164." HIPAA SURVIVAL GUIDE CFR 45 Part 164. 3Lions Publishing, Inc., n.d. Web. 16 Nov. 2016.
[iii] KLAS Tech. "KLASresearch." KLAS Research. KLAS ENTERPRISES LLC, n.d. Web. 16 Nov. 2016.