Imagery Majestic - Fotolia

Get started Bring yourself up to speed with our introductory content.

HIPAA and HITECH compliance: Who should perform assessments?

Here are some important criteria for hiring a partner to review your information security program, with a focus on HIPAA and HITECH compliance.

It's budget season and I want to validate my information security program. What should I look for in a good firm to come in and do a soup-to-nuts inspection of my security program, with a focus on being compliant with HIPAA and HITECH compliance requirements?

It's always a good idea to have an independent firm look at your information security program, no matter how confident you are in your own team. It's easy for those within an organization to become blind to security vulnerabilities, simply because they're working with the plan every day. Engaging a fresh set of eyes to conduct a thorough security review may point out opportunities to improve security controls and reduce the organization's exposure to information security risk.

The first major criteria to use when selecting a partner to perform this assessment is its information security expertise. How many similar engagements has the firm performed in the past? What are the credentials of the team that will be on-site performing your assessment? Don't be fooled by the flashy résumés of top executives the sales team shares; make sure you understand the background of the "feet-on-the-ground" staff that will actually perform the assessment.

It's also important to find a partner that has expertise in your industry. The more familiarity a consultant has with your particular field, the less explaining you'll need to do and the more likely they will be able to complete a useful assessment at minimal cost. Take HIPAA and HITECH compliance, for example: Make sure the assessment team you hire has experience in the healthcare industry. Also, you may want to structure the engagement so it not only meets the organization's needs, but also satisfies the requirements for regular HIPAA risk assessments.

Finally, ensure you're comfortable with the partner. As with any knowledge-based engagement, the product you receive is simply the written report of its findings based on its professional expertise. If you don't have confidence in the accuracy, integrity and expertise of the firm conducting the assessment, the final product will have little value to the organization.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out more from Mike Chapple on how security risk analysis can help with HIPAA compliance, whether HIPAA does enough to protect PHI and how to use the HHS security risk assessment tool for HIPAA audit prep.

This was last published in October 2015

Dig Deeper on HIPAA