7.4 DEFINING THE GOALS
7.4
DEFINING THE GOALS
Stephen Covey teaches a concept he calls 'begin with the end in mind'. In short, this means the best way to determine how to get somewhere is first to determine where you're going. For HIPAA, this means identifying what specific implementation requirements you're trying to achieve and referencing the specific regulation text
related
to each implementation task. By referring to the source HIPAA legislation, you'll provide additional strength to justify your implementation plan. The
next
chapter of this book can provide a useful guideline for defining your specific implementation requirements.
7.5
IDENTIFYING THE EXISTING TOOLS
Now that the goals have been defined, time is well spent in identifying what tools currently exist that might achieve the goals or could be slightly
altered
in order to meet the goals without excessive costs. This task item is primarily aimed at the third 'rule to work by'. By taking into consideration existing infrastructure, it's likely that the overall cost of implementation will be reduced and the managers responsible for approving the HIPAA budget will feel more comfortable that some thought has been put into how previous purchases can be leveraged to achieve your compliance goals.
7.6
PICK YOUR SOLUTIONS
Now that you're armed with all the information, it's time to make a decision on what technologies you want to implement. Research the compliance alternatives thoroughly and identify what solutions are the most appropriate to meet your compliance needs based upon economic, political and social considerations. Document what solutions were researched and why each compliance decision was made. In cases where trade-offs need further consideration before a choice is selected, create a bullet list of the decision points that similar implementation decisions might
differ
.
7.7
IDENTIFYING THE COST OF DOING NOTHING
This is one of the most important
parts
of getting your HIPAA compliance plan approved. If you are unable to identify what it would cost to not do anything, then the people approving your project are
unlikely
to see the financial benefit. When it comes to HIPAA, you can easily point out the legal
ramifications
of not
complying
, but the cost of non-compliance can include many more details. Use the following questions to help determine the expected risk and the financial impact associated with failing to implement your HIPAA compliance plan:
-
If a breach occurs, how much money in
fines
does HIPAA require?
-
What is the
likelihood
of a breach occurring if the plan is not implemented?
-
How much business would be lost if the breach occurred in terms of dollars?
The answer to the first question was explained in the previous chapter. The answers to the
next
two questions require a considerable amount of thought. The best guidance I can give on these questions is to remember the first rule to work by, be realistic. The following formula is a useful tool in determining the financial risk: (Question 2 as a percentage) * (Question 1 answer+Question 2 answer)=Financial Risk.
If you analyze the financial risk and find that the cost of a particular task in your implementation plan greatly exceeds it, then there's likely a problem. Either the most expensive solution was
chosen
and a less costly option has a better cost-benefit trade-off or you need to reevaluate your need to solve the goal identified earlier. Believe it or not, HIPAA was not written to require organizations to
spend
millions of dollars unnecessarily. The lawmakers who put this piece of legislation together clearly
understood
that it was going to cost a great deal of money to
comply
, but their intent is that it should be a good cost-benefit trade-off. To ignore this analysis is to ignore the intent of the lawmakers. This issue is primarily a concern where the HIPAA Security regulations identify certain implementation aspects to be optional. If reasonable consideration has been given to complying with an optional implementation requirement, and the cost-benefit analysis shows the implementation to be a bad business decision, then HIPAA only requires and organization to document their risk acceptance and move on. If you don't weed out the optional
tasks
that probably aren't required prior to going to the decision makers with your plan, then you're likely to find a lot of resistance. I prefer to separate the 'must do's' from the 'should do's' and allow the decision
makers
to make an informed decision about how much risk acceptance they are willing to take. The added benefit of this approach is that the 'must do's' aren't delayed while the 'should do's' are being
considered
.