HIPAA Triad: Risk Assessment, Policies, Training
The rule of threes is prevalent. Think of the three legged stool, tripod, trilateral, triumvirate, tricycle and on and on. HIPAA has it's own triad of core systems that must be in place in order to be considered HIPAA compliant. So while the NIST protocol has 104 security rules they are clustered around the big three; risk assessment, policies, and training.
Failed audits always feature one or more of these areas. As a manager you should be asking these core questions frequently; What is the date of our last formal risk assessment? When were our policies last updated? Have all of our staff been trained on these policies and implemented them?
Demand documentation of these events because if you don't have the documentation then they didn't happen. At least that has been the position of Health and Human Services' (HHS) enforcement arm The Office of Civil Rights (OCR). Just to throw some more initials your way the Office of the Inspector General (OIG) has just taken HHS and OCR to task for failing to enforce HIPAA HITECH adequately.
If OIG, HHS, and OCR don't scare you then think about your clients, business partners, and business associates. They have started enforcing those business associate agreements everyone so blithely signed by asking for proof that you are living up to these agreements. It is very simple to ask for a copy of your most recent risk assessment, copies of policies, and documentation of staff training.
At least quarterly you should ask for proof that the triad is functioning in your organization.
Questions or comments welcomed at firstname.lastname@example.org