So, you're feeling good about your level of compliance with the HIPAA Security Rule.  That's nice, I suppose.  But that feeling is essentially irrelevant.

It doesn’t really matter how you feel about.  Nor does it matter how you feel about it.  What matters is this -- can you demonstrate it?  Can you clearly show how you are complying and that you have been complying for a period of time?  Just saying you have will not go very far.

You need to be thinking about....

In all the frenzy to chase meaningful use (MU) stage one dollars, there's one major concern that I have seen.  Core objective #15 is too easy to say "Yes" to.  Most of the MU Core Objectives require some attestation information or stats.  But not #15…simply say "yes" or "no".  Say no, and you don't get the dollars. 

It seems that a number of folks glaze right over this one with a perspective like, "Yeah, we're securing our network with passwords, antivirus and such…so sure, we're good on #15".  Or, they believe that by having performed some semblance of a risk analysis, they're all set.  I am sorry to say, if you're in one of these categories, you're likely treading on some very thin ice and flirting with something called fraud. 

Security Awareness Ranks 3rd Among Most Investigated Compliance Issues

In the HHS annual report to Congress for years 2009 & 2010, Security Awareness made the department's Top 6 list of compliance issues investigated.  The report outlined many of the enforcement activities including complaint investigations, compliance reviews and audits.  From the original compliance date through December 31, 2010, the compliance issues investigated most by OCR with regard to the Security Rule, compiled cumulatively in order of frequency, were: