Update risk assessments, don’t comply on the spot
An initial risk assessment will not enough when you undergo a desk audit, says Bruce D. Lamb, JD, a shareholder with the Gunster law firm in Tampa Bay, FL. Risk assessments should be conducted on a periodic basis, with proper documentation, he says. Any breaches of data security must be fully explained, with documentation that details how it was discovered, how affected parties were notified, and any corrective action taken, Lamb says.
"There were some pretty significant changes made in the notification requirements, so obviously if you haven’t updated your policies and procedures to keep up with the changes that will be problematic for some entities," Lamb says. "Auditors also will look at how you are classifying classes of employees who have access to data and who doesn’t, along with organizational charts."
There also should be documentation that a security official or committee has been designated and when. As with other points of compliance, the date it happened can be crucial.
"In the earlier phase, there were circumstances where the documentation was requested, and then people were rushing to fix the problem before responding," Lamb says. The Department of Health and Human Services Office of Civil Rights "is on to that, and they will be looking not only at whether you complied. Backdating things or complying on the spot is not going to work very effectively."