The importance of being HIPAA compliant is higher than ever with the current state of security and the potential penalties that can be levied on organizations. The Health Insurance Portability and Accountability Act (HIPAA) passed in 1996 establishes industry-wide standards for the protection and handling of Protected Health Information (PHI), among other things. Maintaining compliance means implementing security controls and developing policies/procedures to ensure the confidentiality, integrity, and availability of ePHI. In addition to HIPAA, organizations need to consider the HIPAA Privacy Rule (2000) and the HIPAA Security Rule (2003) which were released as additional requirements.
In can be daunting to become or maintain HIPAA compliance for organizations with all these different requirements and your primary source of information being over 100 pages of text in a government regulation. It’s not exactly user-friendly, but to become HIPAA compliant you are going to need to be familiar with the full text of HIPAA (45 CFR Parts 160, 162, and 164). You’ll have to apply these to your business and ensure you are upholding this standard of security operations over the life of your business.
With that in mind, there is no specific or accredited compliance certification that is officially recognized by federal and/or state regulators. But there are companies, like Triaxiom Security, that can help with this process and provide third-party assurance that you’re meeting HIPAA requirements. Getting an outside perspective and documented proof of your security controls will provide further reassurance to any prospective clients (if you’re a Business Associate) or to regulators (if you are a health provider) that you are compliant. Third-party audits like this are also beneficial as they will identify any aspects of HIPAA compliance that are not properly implemented or have been overlooked, allowing your organization to address issues before they become a serious issue or result in a penalty for noncompliance.
Next Steps to Being HIPAA Compliant
So with all of that background information in mind of what HIPAA is and what it requires of you, the next step to compliance is implementing the required controls, drafting the required policies/procedures, and training your personnel on how to maintain compliance. There are a number of HIPAA compliance checklists out there that you can find on the Internet and use to start this process (along with the full HIPAA text). But for many organizations that don’t have dedicated security, IT, or compliance resources, these checklists and requirements can be difficult to understand, translate, and implement. This is usually where a HIPAA Gap Analysis can help, where a third-party comes in, assesses your current state of compliance, and then provides a roadmap on what exactly needs to be done to reach compliance.
If you’re not sure where you’re at in this whole process and just need some guidance, please reach out! We’d love to discuss and help in any way we can, whether that’s just pointing you to the right resources or coming in and performing a Gap Analysis to provide you with third-party assurance that you’re doing things the right way. Look for future posts getting more specific on explanations of specific HIPAA requirements and our take on a compliance checklist.