Putting HIPAA Compliance and Security in Their Proper Roles

If you handle protected health information (PHI) or you’re a business partner of an organization that handles PHI, you’re responsible for meeting the rules of the Health Insurance Portability and Accountability Act (HIPAA). A failure to meet HIPAA compliance can result in heavy fines, so it’s important to prioritize the measures.

The mistake many organizations make is handling HIPAA compliance and security interchangeably, as if they were one and the same. While HIPAA may fall within a bigger security structure in your business continuity plan, it cannot replace a full security strategy. Here are a few of the common misconceptions around HIPAA compliance and security:

Security and compliance are not the same thing. Your security strategy is an ongoing set of tools that monitor and address the physical, technical, and administrative aspects safeguarding your electronic protected health information (ePHI). Healthcare compliance, including HIPAA, is the process of following rules, regulations, and laws that relate to healthcare practices. Compliance in healthcare can cover a wide variety of practices and observe internal and external rules. Oversight of compliance is done with auditing and monitoring to take a snapshot, in a moment of time, for reporting purposes in order to prove that the requirements have been met.

Meeting HIPAA compliance will not check the security box. Compliance requirements can be so detailed that you may make the mistake of believing that if you check each requirement off, you’ve also met some pretty high standards for a security strategy.

This is a critical mistake. HIPAA compliance includes a set of rules that change slowly, while your security strategy should be created with an eye towards an ever-changing threat that shifts on a daily basis. Compliance only involves working to make sure that certain practices and policies are in place and it generally is attended to annually. This kind of framework is woefully inadequate for security management, which requires a cohesive, layered approach.

Compliance doesn’t work well as a blueprint for security. Using compliance to build a security strategy is ineffective because it leaves your organization vulnerable. Your security program needs to be built from the ground up, with compliance, including HIPAA and HITECH as a integral piece of the comprehensive approach.

Now that you’ve got a clear picture of why compliance can’t drive your security program, it’s easy to see why a technology solutions provider must be able to meet your expectations on both fronts:

• Not all security solutions are equal. If it only provides the bare minimum of controls when it comes to compliance, you should look elsewhere.

• Choose a technology partner that is versed in healthcare compliance. You need them to produce audits and demonstrate how they will support your security and compliance needs.

• Look for multilayered security, so that if one device or tool fails, you’re still protected.

• Prioritize transparency. You should receive clear and open answers about how your data is being protected. Cover the “what if” scenarios early on.

To continue the conversation around compliance and security, contact us at Effortless. We are the experts in both, and offer enterprise-grade cloud solutions for healthcare organizations. We can help you build the security program you need to minimize your vulnerability, while also being fully prepared for a compliance audit.