H2 Scorecard

What is the H2 Compliance Scorecard?

The H2 ("HITECH/HIPAA) Compliance Scorecard ("Scorecard") is a simple but powerful mechanism for reviewing your progress with respect to Checklist completion/improvement. It works as follows:

  1. Every checklist item ("Item") is given a completion score using the following statuses:
    • M="Missing" which means that the Item has not been implemented and has a corresponding ordinal value of zero (0).
    • P="Planned" which means that the Item, although not implemented, has been identified on a project plan to be implemented and has a corresponding ordinal value of one (1).
    • B="Basic" which means that the Item has been implemented but in its most basic form and has a corresponding ordinal value of two (2).
    • F="Functional" which means that the Item has been implemented and the basic implementation has been improved upon and has a corresponding ordinal value of three (3).
    • E="Excellent" which means that a functional implementation has been refined and/or remained stable over a period of six months or more and has a corresponding ordinal value of four (4).
  2. You add up the scores on each applicable Item (not all Items are applicable to every organization) and multiply by the total number of applicable Items to arrive at a raw score.
  3. You can track the raw score over time to measure your organization's compliance progress/improvement.
  4. The Scorecard and our compliance equation are foundational components of our compliance methodology. Our compliance equation is calculated as follows:

Compliance =Policies + Processes + Tracking Mechanisms=Visible Demonstrable Evidence=Culture of Compliance

You can't produce visible, demonstrable evidence of compliance if you don't have policies, processes that underpin your policies, and tracking mechanisms that track process results at the granularity level of a requirement.


Measuring the Cost of Non-Compliance?

So how do we measure the risk, and thereby the cost of non compliance, especially with respect to an event that appears to be unlikely?

Risk=Probability x IMPACT

In the past the probability of something "BAD" happening as a result of HIPAA non-compliance was close to zero. Why? Because prior to the HITECH Act, HIPAA was an unenforced paper tiger. There was no fear or concern and none was warranted. All the "insiders" knew HHS' dirty little secret and acted accordingly. That all changed with HITECH. We now know that the impact of a major breach is HUGE! The impact may include:

  1. Stiff fines from HHS
  2. Multi million dollar notification costs
  3. Lawsuits from State AGs
  4. Class action suits

If you still believe that the impact is small then you have been asleep at the wheel, and it is likely that your organization will be the next to make news. No, most C-Suite executive now understand there may be a significant impact. However, they also likely believe that the probability part of the risk equation is small. The question is:

What is the probability of getting caught?

The answer is that it is becoming more probable every day. Here are some scenarios sure to get you caught in descending order of probability:

  1. Your organization will experience a breach;
  2. Your organization will have a patient complain & the nature of the complaint will show "willful neglect;"
  3. Your organization will be randomly audited.

The probability of all three scenarios is growing. There are no PHI risk free environments. NONE. To most compliance professionals this is common sense and a recognition of the the business reality that they live in. There is simply no budget big enough and not enough hours in your organization's lifetime to eliminate all risk related to PHI, nor do the regulations call for that. The Security Rule calls for "reasonable and appropriate safeguards" (granted some of the safeguards are totally non-trivial to implement correctly).

Get the basics covered & then focus on the BIG PAIN points that are likely to cause you the most liability.

So what? The so what is that the "best is the enemy of the good." Like some many things in competitive environments, it is the basic "blocking and tackling" that often gets over looked. Get the basics covered and then focus on those high pain point areas that are likely to cause you the most liability. Here are couple of interesting data points from PwC's recent survey:

Of the 11 million people affected by data breaches since September 2009,  55% were affected by data breaches involving business associates. Healthcare organizations have only grazed the surface when it comes to ensuring their business associates can be trusted with PHI. Only 38% perform pre-contract assessments of their business associates and just 26% conduct post-contract compliance assessments.

Of the electronic data breaches reported to OCR, 90% were a result of a lost computer or device, theft, or unauthorized access/disclosure.

Focusing on business associate and portable/mobile device risk might be a good place to get outstanding ROI on your compliance investment.

You Can't Manage What You Don't Measure

Our H2 Compliance Scorecard is a key component of our compliance governance methodology. It works hand-in-hand with our Checklists. It allows your organization to provide an "at-a-glance" status of your compliance initiative. Our Scorecard(s) are a mechanism for providing visible, demonstrable evidence of compliance initiative progress They are useful for both internal and external reporting and to show, in fact, that you are indeed measuring the thing you are trying to manage.