The Situation
A behavioral health practice with seven employees and nearly a decade in operation reached out after a growing concern that an audit would surface problems they could not see from the inside. The practice had been running on good intentions. What it did not have was a documented, functional compliance operation.
The practice owner knew enough to be concerned. What she did not know was exactly where the gaps were or how far behind the practice actually was.
What We Found
A compliance diagnostic revealed four significant operational gaps.
The practice had never conducted a formal HIPAA security risk assessment. Without one, there was no documented understanding of where protected health information lived, how it moved, or what vulnerabilities existed in the environment.
Formal HIPAA training had never been completed. Staff were making daily decisions involving protected health information without a documented understanding of their obligations under the Privacy or Security Rule.
Vendor relationships were only partially covered. Several vendors with access to protected health information did not have a signed Business Associate Agreement in place, leaving the practice exposed without documentation of what those vendors were permitted to do with patient data.
The practice had two versions of its Notice of Privacy Practices in circulation with no version control. Patients were receiving inconsistent information and the practice had no system for managing updates.
What We Did
We began with a full compliance diagnostic that documented both the strengths the practice had built over nine years and the gaps that needed to be addressed before they became regulatory liabilities.
From those findings we developed a 90-day compliance roadmap that sequenced every remediation action by priority and assigned clear ownership so nothing was left to assumption. The roadmap gave the practice a structured path forward rather than an overwhelming list of requirements.
We then moved into implementation, working alongside the practice to complete the security risk assessment, deliver staff HIPAA training, secure Business Associate Agreements with all applicable vendors, and consolidate the Notice of Privacy Practices into a single version-controlled document.
The Outcome
By the end of the 90-day engagement the practice had resolved every gap identified in the diagnostic. The security risk assessment was complete and documented. Staff had completed formal HIPAA training with records on file. All vendor relationships were covered by current Business Associate Agreements. A single, version-controlled Notice of Privacy Practices was in place.
More importantly the practice now has a monitoring structure that tells them what to review, when to review it, and what operational changes require a compliance update. They are not waiting for an audit to find out where they stand. They know.
A practice that came to us concerned about what an auditor might find left with the documentation and systems to answer that question with confidence.
Ready to find out where your practice stands?
The Practice Risk Check™ identifies operational compliance gaps before they become regulatory problems.
Start here: https://delicate-paper-93475.myflodesk.com/cu9pb6q49z
Or schedule a free Compliance Strategy Call:
https://calendly.com/guesscomplianceconsulting-proton/compliancestrategycall
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.