In conversations with health care professionals, I'm often shocked at how little they truly understand about HIPAA Security. Too often, I realize that I'm asking questions that they can't answer (and they should be able to!). I've found that there are 3 areas that most medical practices and managers are missing:

1 - HIPAA Security is NOT HIPAA Privacy

We've all been in a world of HIPAA for well over a decade. Most, if not all, medical professionals have been through HIPAA training and have heard all the buzz words. But my 'research' (talking to folks) has led me to understand that most training in the last 10 years has been 98% HIPAA Privacy Rule and 2% HIPAA Security Rule.  

The problem with that ratio is that HIPAA Security Rule compliance is actually a bit more involved than the Privacy side. It takes more effort, more decisions and more follow-through than Privacy. There are distinct differences between the two rules and if you don't know what they are…you need to learn! 

2 - HIPAA Compliance isn't the end of a journey (or a checklist)

You will NEVER become so 'HIPAA Compliant' that you can stop working at it. Compliance with the Security Rule requires a LOT of continual processes and revisiting of your decisions. As your operational environment changes, you're approach to Security Rule Compliance will need to adjust.  

The government doesn't offer a 'certificate' for someone who has achieved 'HIPAA Compliance' and if someone did give you a certificate, they didn't know what they were doing! HIPAA Compliance is here to stay and its part of your everyday life. I'm sorry to say, there is no finish line.

3 - Your IT guys can HELP, but they can't DO your Compliance

If I've heard this once, I've heard it a million times: "My IT Company takes care of our HIPAA Security". BZZZT! Wrong answer. If you take nothing else from this blog, get this: You can't outsource your compliance!

While your IT vendor does need to understand how they can help you with your compliance and they should be able to point out potential issues with your systems, YOU have to make the decisions, create the policies and document the settings of everything that affects your data integrity. This doesn't mean you have to become a network administrator, but it does mean that you are responsible for your data, so you'd better be sure you and your IT vendor are covering your bases together.

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter. 

 Jeff Franks is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.