I get asked this question almost every day. So, I decided to devise a scoring system to help you estimate how long it will take to get compliant. Answer these questions and tally up your score. Keep in mind you can never consider yourself 100% compliant. The only thing you shoot for is to be confident you are following the requirements that apply to your business and addressing problems and questions as they occur in a normal day. This little exercise is based on nothing more than our experience working with BAs and CEs at various stages of the process. The goal for most of them is just to get the foundation built for their regular compliance activity to take place. It won’t be a perfect answer but it will give you a good idea of where you stand and what you are facing to complete that foundation.
| Score | |||
| Question | 1 | 2 | 3 |
| When did you last complete and document a Security Risk Analysis? | This year | Last Year | I don’t know or more than 2 years ago |
| How many hours of HIPAA training has the average staff member had in the last 12 months? | 8 or more hours | 3 – 7 hours | Less than 3 hours |
| When did you last do a complete review of your Privacy and Security Policies and Procedures? | This year | Last Year | I don’t know or more than 2 years ago |
| Do you have a breach notification plan in place that all staff has been trained to follow? | Yes | No | I don’t know |
| Have your Privacy and Security Officers completed any additional training in the last 6 months? | 8 or more hours | 3 – 7 hours | Less than 3 hours |
| Do you have a written project plan showing your compliance activity and future direction? | Yes | No | I don’t know |
| Do you have a written disaster recovery plan that your staff is trained to follow? | Yes | No | I don’t know |
| Have you done a written due diligence with all of your business associates concerning their compliance? | Yes | No | I don’t know |
| How much time is devoted to your compliance tasks each week? | 3 or more hours | 1 or 2 hours | I do what I can |
Got your score?
- 9 – 12 You have most of the hard work done and now you just need to continue with your on-going compliance activity. You are in good shape. Make sure you keep up with your documentation and don’t start letting it slip or you’ll get behind on your follow up and documentation. You probably have a regular schedule worked out already and you know how much time you need to devote to getting the last few ducks in a row. A third-party audit is your next big step.
- 13 – 18 You have a solid start on the process but you still need to get a lot more done to be in the normal on-going activity cycle. You’ve got at least a month or two and that is assuming you will devote some focused resources to the project and get it done. You probably need more reviews, training, documentation and to complete some more written policies and procedures. You should consider some outside assistance. Since you haven’t gotten this stuff done yet, you likely need some help.
- 18 – 27 You have months to go before you can even feel your foundation is close to complete. It all depends on the resources you are willing to devote to getting the work done. Outside help is a must for you. There are too many requirements that need attention and you’re too far behind to catch up on your own unless a full time person is devoted to compliance.
Every time I hear the question I do know exactly how my Dad felt each time the little heads in the backseat said “How long ’til we get there“. Honestly, there is no right answer for how long it will take to get compliant. The process is never complete and always requires attention. Resources and requirements vary from one business to another. Build the foundation first and the rest will just becomes normal business activity.
Filed under: HIPAA Tagged: Business Associates, Compliance, HIPAA, Small Provider 