With all the new enforcement, penalties, and regulations the one question everyone wants anwered is "Are we HIPAA Compliant?". This can be a tricky question because no one can be 100% sure of what compliant means. In evaluating organizations I use the following criteria in determining compliance
- Does the organization have a written policy?
- Has the organization implemented REASONABLE controls?
- Does the organization have documentation to prove they are compliant?
When organizations can answer all three with a "yes"; then I consider them compliant for that individual standard. It is important to note, that for an organization to be compliant with a Standard, then they must be compliant with each and EVERY Implemementation Specification.
Also, remember to determine if reasonable controls have been implemented, organizations need a documented risk analysis process.
No comments:
Post a Comment