I get a bit irritated when I see a vendor touting their “compliance solution” products as making organizations “HIPAA Compliant” or “PCI DSS Compliant” or whatever your regulation of choice happens to be, and then, upon inspection of their products, see that they are just taking something they already had, slapping some marketing language into the description, picking a few of the regulatory requirements that their product may do (fully or partially) and then calling it a “compliance solution.”
Organizations need to understand that the regulatory oversight agencies typically communicate exactly what they will be looking for when they do a compliance audit. Look at those agency guidance documents before you invest huge amounts of money into some proclaimed compliance product.
For instance, consider HIPAA; the US Department of Health and Human Services (HHS) has provided an abundance of compliance information through the Centers for Medicare and Medicaid Services (CMS) and Office of Civil Rights (OCR) sites.
And even though the OCR is now responsible for both HIPAA Privacy Rule and Security Rule compliance, the guidance on the CMS site is still relevant and important to follow.
In fact, the following documents should be required reading for any HIPAA Covered Entity (CE) or Business Associate (BA)…
- HIPAA Compliance Review Summary [PDF, 203 KB]: Provides summary of findings for Security Rule compliance audits. Quite revealing…learn from it!
- Compliance Review Examples Covered Health Care Providers [PDF, 70KB]: These are great case studies to use for training…use them!
- Information Request For Onsite Compliance Reviews [PDF, 43KB]: List of documents and other items you will be asked to provide to HIPAA oversight auditors…have them ready!
Considering the significant expansion of HIPAA responsibilities that resulted from the HITECH Act, the numbers of BAs has multiplied by several times the number of organizations who should be reading these valuable guidance documents!
Tags: awareness and training, breach law, breach notification, breach response, HIPAA, HITECH Act, Information Security, IT compliance, IT training, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training