Q
Get started Bring yourself up to speed with our introductory content.

HIPAA and HITECH compliance: Who should perform assessments?

Here are some important criteria for hiring a partner to review your information security program, with a focus on HIPAA and HITECH compliance.

It's budget season and I want to validate my information security program. What should I look for in a good firm...

to come in and do a soup-to-nuts inspection of my security program, with a focus on being compliant with HIPAA and HITECH compliance requirements?

It's always a good idea to have an independent firm look at your information security program, no matter how confident you are in your own team. It's easy for those within an organization to become blind to security vulnerabilities, simply because they're working with the plan every day. Engaging a fresh set of eyes to conduct a thorough security review may point out opportunities to improve security controls and reduce the organization's exposure to information security risk.

The first major criteria to use when selecting a partner to perform this assessment is its information security expertise. How many similar engagements has the firm performed in the past? What are the credentials of the team that will be on-site performing your assessment? Don't be fooled by the flashy résumés of top executives the sales team shares; make sure you understand the background of the "feet-on-the-ground" staff that will actually perform the assessment.

It's also important to find a partner that has expertise in your industry. The more familiarity a consultant has with your particular field, the less explaining you'll need to do and the more likely they will be able to complete a useful assessment at minimal cost. Take HIPAA and HITECH compliance, for example: Make sure the assessment team you hire has experience in the healthcare industry. Also, you may want to structure the engagement so it not only meets the organization's needs, but also satisfies the requirements for regular HIPAA risk assessments.

Finally, ensure you're comfortable with the partner. As with any knowledge-based engagement, the product you receive is simply the written report of its findings based on its professional expertise. If you don't have confidence in the accuracy, integrity and expertise of the firm conducting the assessment, the final product will have little value to the organization.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out more from Mike Chapple on how security risk analysis can help with HIPAA compliance, whether HIPAA does enough to protect PHI and how to use the HHS security risk assessment tool for HIPAA audit prep.

This was last published in October 2015

Dig Deeper on HIPAA

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you look for in third-party firms to do information security program assessments?
Cancel
Good morning - Is there a preferred guideline document out there speaking to best practices for secure coding in support of HIPAA related applications. I am wondering about this specific to internet browsers but also mobile devices such as IPADS, Driods and IPhones. Thank you
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close