Monday, January 4, 2010

It's 2010, Are you HIPAA Compliant? (MIAOULIS WRITES)

With all the new enforcement, penalties, and regulations the one question everyone wants anwered is "Are we HIPAA Compliant?".    This can be a tricky question because no one can be 100% sure of what compliant means.  In evaluating organizations I use the following criteria in determining compliance
  1. Does the organization have a written policy?
  2. Has the organization implemented REASONABLE controls? 
  3. Does the organization have documentation to prove they are compliant?
When organizations can answer all three with a "yes"; then I consider them compliant for that individual standard.  It is important to note, that for an organization to be compliant with a Standard, then they must be compliant with each and EVERY Implemementation Specification. 

Also, remember to determine if reasonable controls have been implemented, organizations need a documented risk analysis process. 

No comments: