When working with HIPAA Security with our clients, I find that they often misunderstand what, exactly, it means to be 'HIPAA Compliant'.  Especially, when dealing with the Security Rule.  Not helping the problem, many vendors will make it sound like all you need to do is buy their product and you'll be 'HIPAA Compliant'.  Whether its 'HIPAA Compliant Firewalls', 'HIPAA Compliant Software', 'HIPAA Compliant Backups' or 'HIPAA Compliant Network Scanners', most vendors don't help their clients understand what it means to be 'HIPAA Security Compliant'.  

When talking about security compliance, there are 2 main areas that you can't ignore, or separate:

 1. Security Policies

You MUST have accurate and up-to-date policies describing how you want your data to be protected.  Each policy that you create will be unique to your network/environment.  This isn't something that you can use boilerplate templates and just insert your name in. You have to make the decision and create the policy to back it up.

So, if you want to allow remote access by doctors, you must have a policy that lays out how you want that to work, how you will ensure that the connections are secure and who will have rights to that kind of access. 

(Shameless ad, we can help you keep your policies in order and accessible with  FlightPlan)

 2. HIPAA Compliant Equipment/Configuration

Once you have your policy's in place, NOW you can look at what equipment or setups will allow you to adhere to those policies.  Your IT vendor should be able to use your policies to help create the best/most efficient methods to achieve your goals (not the other way around!). 

Most IT vendors miss this point completely.  The 'kind' of hardware they install is irrelevant to your 'HIPAA Security', if that equipment isn't configured or capable to be in line with your policies.

The biggest mistake many medical practices make is assuming their IT vendor is 'handling' their HIPAA Security for them. That's IMPOSSIBLE for them to do!  While the IT vendor will assist you in your compliance, YOU have to decide how you want to secure your data (with their help), then your IT company/department can work toward making the network work the way you need it.

Just remember, a $100,000 firewall makes you no more 'HIPAA Compliant' than a $1,000 firewall, if the policies aren't there to match the setup.  Policies and configuration are inseparable.

For even more misunderstood concepts of HIPAA Security, check out our    Blog.