It's 2010, Are you HIPAA Compliant? (MIAOULIS WRITES)

With all the new enforcement, penalties, and regulations the one question everyone wants anwered is "Are we HIPAA Compliant?".    This can be a tricky question because no one can be 100% sure of what compliant means.  In evaluating organizations I use the following criteria in determining compliance

1. Does the organization have a written policy?
2. Has the organization implemented REASONABLE controls? 
3. Does the organization have documentation to prove they are compliant?

When organizations can answer all three with a "yes"; then I consider them compliant for that individual standard.  It is important to note, that for an organization to be compliant with a Standard, then they must be compliant with each and EVERY Implemementation Specification. 

Also, remember to determine if reasonable controls have been implemented, organizations need a documented risk analysis process.