If you are managing any Protected Health Information (PHI), you need to be HIPAA compliant. HIPAA is a law that contains guidelines and responsibilities but is not audited by an external provider. Many companies are requesting relevant partners be audited to demonstrate their compliance. The solution that many organizations turn to is HITRUST certification. While not specific to HIPAA, HiTRUST is considered a superset to HIPAA guidelines.
Foghorn partners with Drummond Group and Sublett Consulting to accelerate HITRUST certification for our clients. Our team has built some best practices and code around many of the requirements, increasing both velocity and consistency of results.
Process vs. Automation
First and foremost, to enhance efficiency, you must differentiate between process and technical requirements, leveraging technology to improve your processes where possible. To minimize workload of manual processes, consider automating tasks which occur more than monthly (i.e. weekly, daily). For example, if there is a requirement that states you must inventory your “media” that contains PHI daily and log the activity, you could go into the AWS console daily, check, and inventory your PHI. The more efficient option is leveraging technology to complete this goal. For this task, Foghorn has written code that queries the AWS API and sends a ticket to the ticketing system for your review. Now, the task that would have taken 30+ minutes per day is a quick approval (a few minutes) and you have a record of it being reviewed within the ticketing system.
You will most likely find that HITRUST will involve people from across your organization. The project manager should run this as a standard software development project. Our customers often create a new Jira project to track the progress. Since the project will require communication with the multiple teams, having a ticket to track each item will ensure each task is completed properly with the corresponding documentation. ComplySmart does a great job at organizing this process, and leveraging ticketing systems to drive the review of artifacts required for certification.
Tracking Resource Availability
Like any new feature of your application, ensure the level of effort estimates are based on points or hours. Adding the estimate will assist other teams in understanding how much time each task will take so they can then add it to their sprints as needed.
Forecast the Finish Line
Finally, like every other project in your company, make sure your timelines/milestones to reach your goal are achievable. HITRUST is a multi-month process with a lot of paperwork and documentation. Once you finish the work, your HITRUST auditors will need a month or more to review and sign off on it. Afterward, the HITRUST committee will have to sign off as well, which takes some additional time. Set expectations accordingly!
HITRUST – An Ongoing Effort
After you are certified, there are tasks that need to complete daily, weekly, monthly, quarterly, and annually, in order to pass the yearly inspections and remain certified going forward. This is a large and time consuming project so make sure you have the high-level support needed to ensure it all gets completed accurately.
Since Foghorn has done this process multiple times, we have built some strong processes and code that can be used to help expedite the project. Our HIPAA whitepaper is available for you at any time. Please reach out if you have any questions.