When I've talked with people in the medical field who are trying to comply with the HIPAA Security Rule, I often hear them talking about technology. Antivirus, passwords, "HIPAA compliant backups", secure email, firewalls, and encryption - all come up in the conversation. Often it goes something like, "If we implement encryption, that will make us HIPAA compliant, right?". It may be true in some cases that encryption is needed, but that's not really the point of complying with the Security Rule.

Compliance Is Being Intentional

Very rarely do I hear clients talk about their processes, their decisions, their analyses, their policies & procedures, their reviews, or their risk management. Yet, these are the meat of the Security Rule. Certainly, technology must be implemented, but the standards of the Security Rule are more about (1) how you go about deciding what technology you need to service your ePHI, (2) how you will control who accesses it, (2) how you will protect it from theft, damage or loss, and (4) how you will make sure it is available when needed. It's about taking a very intentional and systematic approach to driving the process that ultimately results in the security, integrity and availability of your ePHI.

Compliance Is Being Thorough

The main point of compliance is to execute the process of actually thinking through how you use, store and access ePHI and how vulnerable it is in your work environment. To be thorough and think of everything that could happen to your ePHI. Then to take measures to protect it, measure the effectiveness of those protections, then make adjustments as things change. All the while documenting your research, decisions and actions.  

Re-evaluating your past decisions and thinking ahead on future changes plays a critical role in continually improving your security. Thoroughness is your friend. But don't get bogged down in thoroughness to the point that you don't act on anything. Do what you know to do, then circle back over and over. It's a process, not a destination. Eventually, you'll have a very tight program of compliance that can actually have a positive impact on your bottom line.

Documentation Is King

The documentation serves three great needs. One is to be able to show a history of your compliance if you ever have to, such as in the case of an audit, investigation or compliance review. The second is to provide yourself a history of decisions and actions that can help you make better decisions in the future. And the third is to protect the organization in the event you leave or get run over by a milk truck on the way to work one day. Having a documented compliance process with history that is easily understood prevents the organization from getting derailed when a key person, like you, is no longer available.

Summary

For sure, you are going to use technology to secure you ePHI. The question is, are you doing it haphazardly and in a reactionary way OR are you doing it on purpose in an intentional and systematic way? When technology drives the process, you will end up hitting certain areas (technologically) and overlooking others. And you still won't be able to demonstrate compliance. Real compliance with the Security Rule aligns compliance liability with business objectives and makes technology serve the organization's needs.

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter.  

 Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.