The Six Stages of Compliance
Compliancy Group has a very defined process in order to get you compliant. We have broken this process down into six stages to afford you the opportunity of knowing where you stand at any given time. Please find the explanation of these stages below –
Stage 1 begins right at the point of your first meeting. It encompasses the audits found within the Guard, your Self-Audits (for a Covered Entity this includes the HIPAA Security Standard Self-Audit, the HIPAA Privacy Standard Self-Audit and the HITECH Subtitle D Privacy Self-Audit. If you are a Business Associate you will only be completing the HIPAA Security Standard Self-Audit and the HITECH Subtitle D Privacy Self-Audit). Aside from the audits found within the System, your Coach will email you a note containing several attachments.
The most important of those attachments would be the three MS Excel Sheets found. You will notice these spread sheets are titled HIPAA IT Risk Analysis Questionnaire, HIPAA IT Risk Analysis Device Audit and HIPAA Physical Site Audit. The two with IT directly in the title should be forwarded to your IT folks for completion. The Physical Site Audit can be completed by yourself. It is merely a wander-through of your facility where you answer yes/no questions. Upon completion of these audits, please hang onto them on your side for the sake of meeting two, where we will show you how to place those items back into the Guard.
Stage 2 encompasses some administrative work. This is where you will upload your Excel Sheet audits back into the Guard, you will discuss staff CA’s with your Coach, you will discuss how to add in Users to the Guard and you will also discuss Business Associates and other vendors. Also, the auto-building of your remediation plans is part of Stage 2.
Stage 3 is where we will begin our conversation on policy. We are not yet going to tackle the full content of the policies. We will take it a bit slow at first to allow you a chance to acclimate yourself with the language. Your Coach will email you the necessary policy templates along with a document titled, “Policy Review Notes and Tips.” This tip guide is indispensable and super handy. If at any point you cannot locate the tip sheet, let your Coach know so another one may be forwarded to you.
To start, you will download the policies and create two new folders on your desktop. Please place the respective policies in the appropriate folders. Your Coach will then guide you on the ‘Administrative’ work you will perform within the policy document. After completion of that work, you will want to review pages 4-17 (and page 23 if you are a BA) in the tips sheet. Once you reach this point stop and wait for your next meeting.
Let’s imagine we have reached that next appointment for further explanation. You’ve completed the administrative work and are seeking to dig more into the nitty-gritty of the policies themselves. Please (on your computer screen) line up the tip sheet with the policy you are reading. When you have a question, refer to the tip sheet. It will have 80% of your answers. Now, I use 80% very specifically. This is because there will be outliers. There will be the 20% of questions you have that are just better than the FAQs that made up the tip sheet in the first place. For these real head-scratchers please jot your question down with an S for Security/P for Privacy and the number of the policy. This way we may address your concerns all the more expeditiously.
Stage 4 is where we will finalize the policies you worked so diligently on and place them back into the Guard. We will do so in a specific manner, to allow for training to occur. Once you are happy with your policies we will place them into the Document Repository (beneath the mid-line). So, let’s imagine all your questions have been addressed. Congratulations! You’ve now reached Stage 4 of 6.
Tp upload the documents back into the Guard, please follow the schema as laid out in the following paragraph – First, navigate to Tracking, then Documents (Version Control). Now, below the mid-line, click on either the Security/Privacy Policies to open the folder. With the folder showing green, look down about 1 1/2 inches to where it says Upload. When you click Upload a yellow box will appear. Find the correct policy via the Choose File key. For the name, please just put an S, or P to start. Then, bring up page three in your tips sheet. This is your table of contents. Please feel free to copy the title from the Tips Sheet and paste it within the Document Title field. Copy/paste this down to the description. The enactment date is the same day as the effective date seen on your policy. The review date is one year following. Now, be sure to check the box that asks if you want to make the document readable for all users, and hit Upload Document. You are now ready to begin Stage 5 –
Stage 5 is where we will begin training. Administrators of the Guard will actually go first. Then, the Staff will follow suit. This is because there are 7 security policies which are more managerial/more hierarchal. So, after the Administrators train, we remove these 7 since the Staff need not bother with them. After the Staff trains you will e-mail your Coach to advise of your status and they will guide you from there. Let’s walk this back a tad, though –
After you have met with your Coach they will have sent you some training documentation. This includes general directions on how to correctly upload your policies, a training and attestation flyer which we will back-pocket for the moment and instructions on how to set your Chrome browser up appropriately so documents automatically appear once clicked, rather than having to dig for them.
First, go about uploading your policies as explained by your Coach, the previous paragraph, or the one-pager with instructions that was sent your way. Upon upload, please attest that you read and understood the document for each of the policies. You have already read these, so no need to have you double your efforts.
You Coach will have also added in some ancillary training for you – HIPAA 101, Cyber-Security, Incident Management and (if you bill Medicare) Fraud, Waste and Abuse. Please review and attest to these documents as well. When you are done, have your fellow Administrators perform the same activities. Once all Administrators are done with their respective training we ask that you please email your Coach, informing them of your status. The Coach will then go about removing the seven policies, as mentioned above, and email you back to tell you to disseminate the Training and Attestation Flyer, remind you the Staff needs only read the synopses of the policies and have them go at it! Once the Staff completes their training we ask you please email your Coach once again to inform them of this update. At this point, you are all set with Stage 5! Congratulations again!
Stage 6 is where there is a ‘changing of the hands’, so to speak. You will have a one-off meeting with our CCO, Bob Grant. He just likes to make sure every site is as compliant as can be, he’ll furnish some instructions on how to close remediation plans and send you your seal. That’s it! You’re now done with this year’s efforts.