10. Auditing and Monitoring for Privacy in Healthcare

By Sheryl Vacca, CHC-F, CHPC, CHRC, CCEP-F, CCEP-I[1]

Executive Summary—Key Steps

  • Agree on a common framework for the risk-based auditing and monitoring program.

  • Assess privacy risks across the enterprise and then prioritize them by looking at the likelihood of occurrence and impact for the organization.

  • Develop a risk-based auditing and monitoring plan or integrate into current compliance plan from the identified privacy risk priorities.

  • Assure that a management action plan is developed to mitigate risks and/or resolve risks in a timely manner.

  • Assess auditing and monitoring process for effectiveness.

Getting Started

In designing the privacy risk-based auditing and monitoring activities, it is important to work closely with the organization’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimize and mitigate privacy risks for the organization. The organization’s compliance officer should be included as well to assure that applicable resources are leveraged and auditing and monitoring activities for privacy are not duplicated in the organization’s overall compliance plan. There may be other functions that might not be represented on the senior leadership team with whom you will want to consider discussing these activities as well.

Processes for establishing the privacy risk-based auditing and monitoring plan should include:

  • Performing a risk assessment

  • Prioritizing the identified risks

  • Developing the plan

If privacy is part of the overall comprehensive compliance plan, then it would be considered in the risk prioritization and ranking for the compliance plan. The overall goal of the plan is to perform periodic audits and monitoring to determine compliance with respect to applicable regulatory and legal requirements, organizational policies, and/or laws. An additional goal of the plan should be to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behavior. Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action to mitigate or resolve any privacy risks identified.

Once the common framework for the risk-based auditing and monitoring program has been established, six key tasks must be performed:

  1. Assess and prioritize privacy risks.

  2. Develop a risk-based auditing and monitoring plan.

  3. Execute the plan.

  4. Facilitate management’s response to the corrective action plan to mitigate and/or resolve risks.

  5. Follow up with management to determine resolution and/or mitigation of the risks identified. This might include re-auditing, validation, monitoring, or other focused activities to assist with determination of whether the risk has been decreased.

  6. Assess and evaluate the overall process for effectiveness.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings