7.3 RULES TO WORK BY

These rules are good to keep in mind as you plan for and discuss your intended HIPAA compliance project plan.

Be realistic
Make well informed choices
Keep the big picture in mind
Don't nickel and dime
Document, document, document

Okay, so it seems like common sense to say 'be realistic', but more often than not, this is where many project plans fall on their face and fail to be granted approval. Basically, this means the right solution is not necessarily the most expensive, flashy or latest innovation. Instead, it's one that meets the required goal by balancing technological capabilities with financial and social considerations. In short, it would be unrealistic to require users to change the passwords daily with a minimum length of sixty characters that must be alphanumeric and contain special characters with infinite history retention to avoid reuse.

It seems like common sense that choices should be well informed. In the context of HIPAA, this means that you have a clear understanding of what the HIPAA legislation requires of you to the extent that you can clearly define the intended goals you are trying to achieve. It also means that you've researched alternatives. It would be a bad idea to suggest to your organization that they deploy a PIX firewall because you had a friend who said it was the best thing to do. Instead, you need to be aware of the alternatives and be informed about why one solution is technically, socially and/or economically better than others. The primary reason why this is listed as a rule to work by is because if you take the time to become well informed about your goals and decisions, it will show when it comes time to pitch your HIPAA compliance project plan. You'll likely find yourself being asked difficult questions and unless you have taken the time to thoroughly understand what you're trying to sell, it will show and you'll lose a lot of respect, thus decreasing the likelihood of being granted approval.

The biggest sign of the most well thought out plans is recognition of a larger purpose. How does your HIPAA compliance plan fit into long term business goals, IT projects and budgets and the overall existing infrastructure? By taking time to understand the organization as a business, society and as a technical infrastructure, some decisions can be made that will work together with other related projects. For example, if you become aware that an initiative has been put into place to convert all workstations to Linux based operating systems, you're unlikely to pitch a Microsoft OS automated patch management system. Instead, you'd likely work on prioritizing the roll-out in order to meet the February 2005 compliance date.

Imagine taking your car to a mechanic because it's started to smoke. After about ten minutes, the mechanic comes in and tells you that it's going to cost $200 to fix a problem with your radiator and you give the go ahead. Forty-five minutes later he tells you it's going to be another $60 to drain and refill your radiator fluid. Then thirty minutes later he tells you that you also have a worn belt that needs replaced and it's going to be another $200 dollars Imagine if this goes on for another $700 worth of expenditure. Now imagine if the same mechanic told you up front that it's going to be $1,160 to take care of it. While the impact on your wallet is the same in both cases, the second example will likely leave you with a much better experience. The same scenario applies when pitching your HIPAA compliance project. This is the 'don't nickel and dime' rule. Gather all of the information up front, spend the time to think of anything and everything that's going to cost money and present the project as a whole with one price tag and one price tag only. Many executives feel that once they've authorized a single purchase towards HIPAA compliance, they've signed the entire package. The result is that regardless of the amount, future justifications for the same project plan will become much more difficult. As a corollary to this rule, it's often a good idea to provide a little padding in your estimates in order to make way for small, but unplanned expenses. To apply the first rule, it may not be realistic to be able to identify the total cost in one shot since further costs are sometimes only revealed after some preliminary tasks are performed. In these cases, do your best to estimate what the total cost will be and work hard to prevent scope creep. Also, reduce the number of times you ask for additional funding as much as possible by packaging together additional expenses in bundled packages.

The last rule applies not only to the project plan, but also the project implementation. In the planning phase, by thoroughly documenting the plan, smaller expenses and details might come to light that otherwise were not illuminated. Additionally, the documentation process can assist you in becoming more familiar with the intimate details of the project that will give you confidence and will help to establish credence for yourself as you pitch the plan since questions will be answered with ease. In the implementation stage, the documentation of what has been done and when things will be done will be an invaluable resource to your successors and auditors .