Amateurs

I recently visited the Herman Miller headquarters outside Grand Rapids, Michigan as part of a board retreat for the Nursing Institute for Healthcare Design (NIHD).    Herman Miller has been an innovator in the furniture business for over 80 years.    I left the retreat with a copy of the book, Leadership Jazz, which was written by Max DePree, the former chairman of Herman Miller's board.   An inspiring read, I finished the book before my flight landed in Minneapolis.  

I especially enjoyed the chapter about amateurs.  Frankly, I think we are all amateurs -- curious individuals who like nothing better than learning something new, often with unexpected results.   DePree calls it the "beneficial surprise" that celebrates the amateur's fresh point of view and which often produces a "stunningly elegant solution."    One of my NIHD colleagues likens amateurs to disruptive innovators, the roving leaders who defy definition.  She is spot on.

In addition to my work as a health care consultant and professor, I delight in my work as an amateur. Of course, there are my Wabi Creations that I design as an aspiring maker/artist.   I also enjoy several volunteer roles.  In most cases, the organizations have invited me to the table and welcomed my commitment, my curiosity, my talents.   On occasion, I need a quick "integrity check" when someone refers to me as a "self-taught" in contrast to their formally trained, "professional" status.  Stay the course, Susan.  Stay the course.

Indeed, let's celebrate amateurs of all types.  Let's also celebrate the wise leaders who know enough to seek out, welcome and empower amateurs in their organizations.  According to DePree, "leaders can make a college, a business or any organization hospitable to the person without the usual credentials.  The trick is simply to look at merit naked.  Learn to hear the tune despite the noise."

Thank you for the pep talk for us amateurs, Mr. DePree.  Leadership jazz, indeed.

The HIPAA Phase 2 Audits ... Here's the Skinny!

The Health and Human Services' Office of Civil Rights (OCR) has initiated Phase 2 of the HIPAA Privacy, Security and Breach Notification Audit Program (Program).  

If you are a HIPAA Covered Entity (CE) or Business Associate (BA, here's the skinny ... 

1.   AUDIT PROCESS.  The Program involves a multi-step process: (a) verification of CE and BA contact information; (b) pre-audit questionnaire and random sampling process to select CE and BA audit subjects; (c) notification letter and document request; (d) desk review; (e) on-site review of CE and BA selected from desk reviews and otherwise; (f) draft report; (g) CE (or BA) comment period; (h) final audit report.  

2.   AUDIT PROTOCOL.  The Program uses an Audit Protocol that is organized around the Privacy, Security and Breach Notification Rules.    http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html  

3.   AUDIT GOAL.  The primary goal of the Audits is to review the policies and procedures for CE and BA compliance with selected Rules.  As with the Phase 1 Audits, the process is a primarily a compliance improvement activity, however OCR may initiate a follow up compliance review, as necessary.  

4.  COMPLIANCE REVIEWS.  A compliance review may be initiated by the OCR following receipt of a complaint, a breach notification, a media report, an audit report or otherwise, for "no reason." The compliance review is a multi-step process that includes (a) written notification and document request; (2) desk review: (3) on-site review that includes observations, interviews and additional document review that may extend over several days; (4) closing conference.  As necessary, OCR can also initiate subpoenas and other inquiries, as necessary, to complete the process.  Violations identified as a result of the compliance review may result in voluntary compliance, corrective action and/or resolution agreements that may impose multi-year monitoring and civil money penalties, among other requirements, all subject to a fair hearing procedure.  

5.   AUDIT RESULTS.  OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. However, under the Freedom of Information Act (FOIA), OCR may be required to release audit notification letters and other information about these audits upon request by the public, subject to FOIA regulations.  

6.   AUDIT READINESS.   How best to prepare for the Phase 2 Audits?  Assemble an in-house work group, print a copy of the Audit Protocol and begin your own self-study of the current policies and procedures and the related forms and documentation that evidence compliance with these policies and procedures.  

Questions or other Phase 2 Audit readiness follow up, please contact Susan Ziel at Integrity Health Strategies -- sziel@ihsconsultinggroup.com or (317) 819-7704.