Project Overview

I was tasked with developing and maintaining HIPAA policies and procedures to improve compliance readiness.

This included creating or heading up direction for:

• Policies the company would follow.

• Procedures employees would use that were based around the policies created for the team.

• Implementing tools, apps or ideas to ensure there were technical, administrative or physical safeguards that could be used to monitor, track or enforce the policies and procedures.

• Evidence collection to ensure the business was following the policies and procedures.

Completing these steps were required to make sure the business could complete the required HIPAA Security Risk Assessment required by Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

Approach & Plan

Current System

The organization used outdated compliance service that hosted a set of generic HIPAA policies, but lacked detailed procedures, enforcement tools, or audit logs to demonstrate policy adherence. As a result, compliance readiness was limited and often difficult to verify during audits.

New System

I led the implementation of a modern compliance operations system, replacing legacy tools with a document management platform, integrated evidence collection workflows, and infrastructure to support traceable for policy enforcement. This new system aligned with HIPAA’s requirements for both policy documentation and demonstrable proof of compliance which significantly improving audit preparedness and reduced risk exposure.

Deployment

There’s really three parts to many GRC requirements:

• Policies

• Procedures

• Evidence

This comes in different forms based on which framework picked. For instance ISO 27001 and TISAX (both frameworks I’ve worked with) separate the procedures out into different subsections, but for HIPAA, a small business can basically follow the P&P + Evidence, following the Document it. Do it. Prove it. mantra. It’s different for something like ISO27001 which follows a more risk-based, Plan. Do. Check. Act. (PDCA cycle) in an Information Security Awareness System (ISMS).

Policy

The policy portion was relatively easy as I found a company, HIPAAOne, (after several failed attempts at finding other third party audit services) who was able to provide the template policies as well as a solid questionnaire and provide the required HIPAA Security Risk Assessment.

The price was usually the hangup, in Governance, Risk and Compliance (GRC) industries are usually focused on large compliance heavy organizations that are willing to pay high prices for GRC since its usually a requirement to work in those regulated industries. HIPAAOne is able to provide an audit checklist through questions, and third party SRA for a comparatively inexpensive price.

I was able to review and augment the questions and policies by HIPAAOne to create a set of policies that would fit the businesses structure and risk appetite. The set of policies were about 20-30 written policies, covering various sections including employee training, onboarding, Security Awareness Training, and other policies. The questions and policies could be broken down differently, but this is what I found worked best.

Procedure

Creating procedures really depended on the tools that were already in place. Most of the time it lands on a project management system like Jira, Trello, or other similar tools. The team and I decided to go with a project management tool that worked with those requirements as well as other non-HIPAA related tasks. It also included integrations with document management and storage management systems that also allowed evidence to be collected easily within the tasks.

The team and I was able to create procedures that could be followed for all policies, as well as link them to evidence collection. Most of the procedures were saved in a document system, with links created to tasks that were to be completed on a regular recurring basis.

Evidence

Honestly the most difficult part of this part is the asset management. A solid Asset Management system for primary, secondary and physical assets is imperative to make this relatively smooth. You can’t protect something you don’t know exists.

We implemented a combination of asset management tools and software that generated reports for evidence and artifact collection. These tools integrated with our recurring tasks system, where team members could add completion comments. This streamlined approach was sufficient for our small business needs. The monthly evidence collection and management reporting process took only 1-3 hours to complete.

Collaboration and Continuous Changes

As with everything I work on, I find ways to improve things, automate and provide better reports to managers and users. It includes working with IT vendors, improving documentation and finding technical improvements myself to implement or ask the IT vendors to implement. This includes researching new features that were released from the systems in place, or improving or creating technical safeguards that will reduce the chance of information exfiltration from internal or external threats.

Final Results

Within a year, we improved the organization's compliance posture by:

• establishing robust policies and procedures,

• educating teams on HIPAA requirements and proper information handling,

• identifying and deploying tools or collection methodologies to collect evidence required for HIPAA Security Risk Assessments (SRAs),

• creating a cybersecurity improvement plan to drive continuous improvement year over year.

This not only ensured compliance with PHI handling requirements, but also strengthened the organization’s overall security and risk posture.