We are now offering a HIPAA - HITECH workshop to our customers and prospects that have HIPAA compliance concerns. We've learned some valuable lessons through the workshop creation and delivery process.
We created the workshop because -- even though we offer a set of services and safeguards that would solve almost any HIPPA regulated organization's compliance challenge -- most of our sales conversations around the HIPAA topic were starting with an "I don't know enough ... " in the client's introductory paragraph. 
Our sales team kept reporting the difficulty these Privacy Officers and Security Officers had in having a conversation about our offered solutions because they didn't have the knowledge they needed to do their job. This is especially true in mid-sized CE's, small practices and many BA's. The assigned PO or SO (many times only 1 person) position was an add-on to a full time job that was already a challenging 40 hour week before the HIPAA add-on.
Not counting extra blog related reading, direct client work and vendor partner related HIPAA reading I have about 120 hours into the HIPAA - HITECH learning experience this year. And my learning has come on a foundation of 10-plus years focused on security and privacy.
The biggest risk to most organization's HIPAA compliance is the knowledge that the PO and/or SO can gather given constrained time and training budgets.
Our workshop covers the learning areas that we see lacking in those we are trying to help:
- Module 1: HIPAA - HITECH overview, because frankly there are a number of misunderstandings about HIPAA itself all these years in, not to mention the additions and adjustments from HITECH
- Module 2: Information Security 101, because while HIPAA largely uses the established information and privacy jargon, most PO/SOs don't have a working knowledge for the basics like confidentiality, integrity, availability, risk, threat, vulnerability, authentication, authorization, etc.
- Module 3: Privacy Rule because again the rule isn't universally understood by those charged to implement it in CE's and BAs or their management
- Module 4: Security Rule because again the rule isn't universally understood by those charged to implement it in CE's and BAs or their management
Along with the learning in the second two modules we go through through a privacy rule and security rule gap assessment to detail where the client is non-compliant. We do it in a group setting with PO, SO, management, IT (if it is someone different) and others involved in managing PHI or PHI processes.
In the workshops we've done to date there have been moments where the process of doing the facilitated self-assessment brings a moment of clarity to the table. Management thought something was being done. The PO or SO says, sure we have the policy, but you didn't fund the safeguard, so we aren't compliant with HIPAA or our own policy.
As you know, I'm a huge advocate for a management level information security steering committee. These gaps in knowledge and gaps in understanding that ultimately feed a gap in compliance only get cleared up when those that are responsible for security and privacy from funders to doers can learn and coordinate in a regular fashion.
We are finding that our workshop is a clear step in helping create the foundation for that ongoing focused committee structure.
Do you have a working security steering committee? How is it helping you building understanding for security and privacy? is that understanding translating into a more secure organization?
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=da952a2b-2cff-4080-bcec-2378006193d7)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=021e3822-d4e8-4844-9ac5-a98c2db6448f)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=9c351b12-fa49-4b36-b5be-bc5c19fc0b1c)
