Wednesday, March 19, 2008

Free (Almost) HIPAA Compliance



HIPAA was the first drop in what has become a regulatory deluge. Twelve years ago Congress enacted a law that which on the surface aimed to give Americans more control over their health care data, but which actually was the first law mandating standards for securing data. A flood of regulations followed: Sarbanes-Oxley (SOX), The Patriot Act, FISMA, FFIEC, FDA, COOP/COG, Basel II, GLBA, PCI, etc, etc. With each new piece of legislation, the regulations became more refined and better defined what was expected of Information Technology (IT) professionals. Lost in this blizzard of sometimes conflicting governmental regulations is the standard that started it all: HIPAA. While it is true that HIPAA is more of a “guideline” than a “mandated standard” as far as IT is concerned, the benefits of compliance should not be overlooked. In fact, compliance with HIPAA standards can be a very easy task if the organization has implemented an over arching security framework and has been forced to comply with one of the other previously mentioned regulations.

Businesses do not exist in a vacuum and neither does the data they use and create. It would be a difficult undertaking these days to find an organization of any size that is not forced to comply with at least one regulatory body (and larger organizations must comply with a half-dozen or so). HIPAA has often been put on the back burner, even at large national health care organizations, because the fines associated with non-compliance pale when compared to other statues. For example, the maximum HIPAA fines are $100 per individual per instance up to a maximum of $25,000 per institution per year. SOX legislation by comparison carries the very hefty threat of 20 years in Federal Prison, and up to $5 million dollars in fines. Naturally, organizations pushed hard to become SOX compliant, even though this legislation post dates HIPAA by 6 years. The positive fallout is that most of the IT work previously done can be leveraged in getting an enterprise HIPAA compliant. SOX and PCI compliance have been the 2 major driving factors in the non-financial sector over the past few years and, while each is unique and distinct, they both have “industry best security practices” at their cores. And these very same best practices are what we will leverage in our HIPAA work.

Most organizations have already gone through at least one iteration of information security evaluation. In the hands of a skilled and certified IS professional, data from one compliance audit can be re-used and dramatic cost savings realized. Of course, certain aspects of a HIPAA compliance audit are unique and work in these areas may need to be performed. But depending on which previous IS examinations have taken place, and the availability of this information to the IT staff, performing a HIPAA compliance audit can be easy, almost free and well worth performing.

Mindteck has personnel with experience at performing HIPAA audits since 1996. We are expert at providing value to our clients while at the same time being conscience of their financial constraints. Using activities already performed and lessons learned, Mindteck personnel work hand in hand with the client’s IT staff toward the common goal of getting the enterprise compliant. Using proprietary software and methodologies, Mindteck staff can bring value to your HIPAA compliance endeavor and see your project to a successful conclusion.

numly esn 77216-080820-689293-47


© 2008 All Rights Reserved.



© 2008 All Rights Reserved.


Labels: