HHS has once again provided guidance with respect to the importance of having a methodology in order to develop, implement, and maintain a comprehensive compliance program (“Program”). It should be clear that the entire objective of your HIPAA compliance initiative (“HCI”) is to build said Program over time, especially if you are interested in an establishing a “Culture of Compliance!” The latter is something that HHS continues to emphasize and continues to value.
HHS’ guidance did not directly use the word methodology, there was no need to. The guidance does not reference any specific sections of the HIPAA Privacy, Security, or Breach Notification Rules (“the Rules” or “Rules”). However, if you bother to peruse the guidance with any sort of rigor you quickly understand that it is all about methodology—the latter being exactly what HHS intended to convey in partnership with the HCCA. The message contained in the guidance, reading between the lines, is the same one that Leon Rodriguez (“Rodriguez”), former Director of OCR under the Obama Administration, echoed in a recent interview.
The commentary (see here and here) provided by the HIPAA Survival Guide (“HSG”) pursuant to HHS’ guidance helps describe the methodology that is built-in to our Subscription Plan. That is, the latter is not a set of loosely joined software, products, templates and tools, but rather all of it is underpinned by a methodology that helps you establish the kind of Program HHS is interested in seeing stakeholders adopt. Beyond the shameless plug, the idea is that you should be asking your compliance consultants whether or not they have a methodology, and if so, how does it help you build the requisite Program over time?