I recently read a headline that stated; “CISO: Compliance Is the Wrong InfoSec Focus”. It goes on to say "I'm going to improve our maturity of information security controls and then, out of that improvement of those controls ... will come much better regulatory compliance.” HIPAA is as much about privacy as it is about information security.
I have had many people explain to me that they didn’t need to be HIPAA compliant because they were already compliant with some other standard. HIPAA HITECH and the Omnibus Rule share some attributes with other standards such as SSAE 16 / SOC 1 / SOC 2 but are much broader. The Privacy Rule is something that IT departments tend to ignore.
The Cycle of Compliance has three main components; HIPAA risk assessment (the NIST protocol is the industry standard), written policies and procedures that have been tailored to the organization, and training and awareness based on the organization’s policies and procedures. Having a “canned set of policies and procedures is certainly not adequate, nor is training based on policies and procedures that are not in place in the organization. Staff will adopt policies and procedures more readily if they are trained on the specific policies and procedures developed for their organization.
The Cycle of Compliance will cover all of the HIPAA requirements and documentation of these activities will help build a legal firewall around an organization. Once set up properly this process will contribute towards greater productivity and job satisfaction for staff while only requiring a few hours a month to maintain.
Information security is an important part of HIPAA compliance but not the “whole enchilada” as we say here in California.