
	Home > Ask the Security Experts > Security Management Questions & Answers > What's the best strategy to catch up on HIPAA compliance quickly?

Ask The Security Expert: Questions & Answers

EMAIL THIS

What's the best strategy to catch up on HIPAA compliance quickly?

EXPERT RESPONSE FROM: David Mortman, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 04 November 2008
Since HIPAA regulations have never been enforced (until recently), management has let our HIPAA compliance efforts fall woefully behind. What's the best place to start so that we can become compliant as quickly as possible?

BROWSE BY TAG

Security Management, Security Audit, Compliance and Standards, HIPAA, Information Security Policies, Procedures and Guidelines, Information Security Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	How to prepare for a FERPA audit
	Why doesn't the CISSP cover information assurance and DIACAP?
	Data breach notification legislation: What info must be released?
	Risk management strategy for an information technology solution provider
	Are there guidelines to create a HIPAA-compliant data center?
	HHS HIPAA guidance on encryption requirements and data destruction
	Writing a patient identifier policy to prevent common HIPAA violations
	How to write technology outsourcing contracts
	The requirements for being a PCI DSS-compliant service provider
	The requirements needed to make an external penetration test legal

HIPAA

Healthcare security spending remains sluggish, report shows

Creating a HIPAA employee training program

FTC extends breach notification to Web-based health repositories

Are there guidelines to create a HIPAA-compliant data center?

HHS HIPAA guidance on encryption requirements and data destruction

Writing a patient identifier policy to prevent common HIPAA violations

HIPAA compliance: New regulations change the game

HIPAA compliance manual: Training, audit and requirement checklist

Key elements of a HIPAA compliance checklist

Quiz: How to meet HIPAA compliance requirements

HIPAA Research

Information Security Policies, Procedures and Guidelines

Essential guide: Pandemic planning for H1N1

Whitelists, SaaS modify traditional security, tackle flaws

Melissa Hathaway urges more cooperation, government attention to cybersecurity

Reuters: Obama ready to select cyber security czar

How a corporate Twitter policy can combat social network threats

Should enterprises be concerned with Twitter in the workplace?

Information security management hype: Debunking best practices

Data breach avoidance begins with security basics, panel says

Expert: Information security spending often restricts innovation

GAO report cites government weaknesses, data leakage

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

There's a long road in front of you, but better late than never. The best place to start is with a mandate from the executive team declaring that HIPAA is now a priority. Without the support of management, your efforts will be an exercise in futility.

The essentials of any good compliance program can be broken down into the following broad categories: management support, knowledge, documentation, education and controls.

Assuming the compliance program has management support, the next step involves working with the various business units to identify what data falls under HIPAA regulations, who has access to it and what controls are in place to protect it. This is also a prime time to review the existing security and privacy policies.

Once a baseline is established, it's time to move into the documentation phase. Documentation is key, as it will enable you to cleanly communicate to upper management where any deficiencies lie in the existing data protection program and justify the necessary changes that will bring the company into compliance.

This brings us to education. For a compliance program to be successful, everyone involved needs to understand what the requirements are (policies, procedures, etc.) and why they are important, as well as the consequences of non-compliance. In the case of HIPAA, there is also a mandate to notify patients and customers of their rights, and employees need to understand that process as well.

The final category is controls. These are documented methods for ensuring that data stays where it is supposed to. While some of these will be technology oriented (firewalls, encryption, DLP, etc.), a good portion will also be process oriented (need to know, log reviews, manual audits, written permission for data sharing) and physical controls (locks, safes, document destruction).

Hopefully, once you've documented the company's current position and properly educated management about deficiencies, they will approve the necessary funding and changes so you can start working on the plan for remediation. Good luck!

More information:

Is it against HIPAA regulations to permanently store private data? Learn more.
Who should have access to patient information under HIPAA? Read this expert response.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy