Much time is spent by organizations trying to attain "HIPAA Compliance," but what that really means is often confused. HIPAA can be confusing and complex; primarily because the Rules often leave wide latitude for individual organizations to define what safeguards are reasonable and appropriate for them to implement. It is this flexibility that causes confusion, as well as making HIPAA Compliance difficult to define and attain.
HIPAA specifically requires organizations to do very few things.
Some of the safeguards that an organization must implement include staff training, having business associate agreements, conducting a security risk analysis, and having a risk management plan. However, the HIPAA Rules do not go into any depth about how any of these tasks should be completed (although there is some published guidance on these topics). Therefore, there is still flexibility even in these more prescriptive instances.
The majority of the HIPAA rules can be boiled down to ensuring protected health information (“PHI”) is secure and private in ways that are reasonable and appropriate for your organization. As a result, it is up to each organization to decide what types of safeguards are reasonable and appropriate for its specific situation.
To determine what is reasonable and appropriate for your organization, you must take into consideration,
It is not until you complete this process during a security risk analysis will you know what is truly reasonable and appropriate for your organization, and thus the complete list of everything that you must do to be HIPAA compliant.
To be truly HIPAA compliant, you must not only be doing the things HIPAA specifically requires, but you must be in compliance with your own policies and procedures.
It is primarily in the policies and procedures in which you will codify the safeguards you identified as reasonable and appropriate for your organization. At that point it is two steps to being HIPAA compliant; having documentation that outlines how you will keep protected health information secure and private, and the execution of the safeguards. If you have great processes in place, but those are inconsistent with your documentation (or you have nothing documented), you are not in compliance. Similarly, if you have documentation that explains your safeguards, but you don't actually follow through, you are also not in compliance. You must have both process and documentation, plus the required elements, to be "HIPAA compliant."
HIPAA provides great flexibility to what safeguards you implement, as long as the result is that protected health information is secure and private. Instead of using that as a burden to developing and implementing safeguards, it can be a benefit by allowing you to craft the safeguards that work best for your organization. As long as you document and consistently implement those safeguards, in addition to conducting the required elements of HIPAA, you can be considered “HIPAA compliant.”
With our solution, you can easily become HIPAA Compliant in 30 days or less.
Compliance and security are complex, but they don't have to be hard to comprehend. Check out our resources page for more educational ebooks, presentations, infographics, and more!
Our resources are compiled by our experts here at QI Express. With backgrounds in information technology consultation, IT systems design, audits, law, and patient-facing clinical roles, our team is able to leverage a unique scope of experience to deliver the most comprehensive educational material possible.