You Need These Things When You Get HIPAA Audited!

I get a bit irritated when I see a vendor touting their “compliance solution” products as making organizations “HIPAA Compliant” or “PCI DSS Compliant” or whatever your regulation of choice happens to be, and then, upon inspection of their products, see that they are just taking something they already had, slapping some marketing language into the description, picking a few of the regulatory requirements that their product may do (fully or partially) and then calling it a “compliance solution.”


Organizations need to understand that the regulatory oversight agencies typically communicate exactly what they will be looking for when they do a compliance audit. Look at those agency guidance documents before you invest huge amounts of money into some proclaimed compliance product.
For instance, consider HIPAA; the US Department of Health and Human Services (HHS) has provided an abundance of compliance information through the Centers for Medicare and Medicaid Services (CMS) and Office of Civil Rights (OCR) sites.
And even though the OCR is now responsible for both HIPAA Privacy Rule and Security Rule compliance, the guidance on the CMS site is still relevant and important to follow.
In fact, the following documents should be required reading for any HIPAA Covered Entity (CE) or Business Associate (BA)…

Considering the significant expansion of HIPAA responsibilities that resulted from the HITECH Act, the numbers of BAs has multiplied by several times the number of organizations who should be reading these valuable guidance documents!

Tags: , , , , , , , , , , , , , ,

Leave a Reply