Using HIPAA To Advance Your Security Initiative

[Excerpted from "Security Via HIPAA Compliance," a new report posted this week on Dark Reading's Compliance Tech Center.]

If your security organization is in the healthcare space, you inevitably are wrestling with the Healthcare Information Portability and Accountability Act (HIPAA). HIPAA compliance is one of the biggest challenges healthcare IT organizations face -- but it also could be an opportunity to advance your security agenda.

For security professionals to leverage compliance investment and activities for broader benefit, they must understand what’s driving current compliance investment.

First, it bears saying that the standards outlined in the HIPAA Security Rule are designed to address broad swaths of industry—from small clinics and physician offices to the largest institutional care providers and insurance companies. Because of this, the high-level security control objectives outlined in the Security Rule (standards) as well as the supporting controls are extremely broad and lacking in technical specificity.

How can security organizations make use of compliance activities? They can start with risk management, which historically has been a challenge for security organizations, both in and out of healthcare. But the HIPAA Security Rule is tied tightly to risk management activities, a coupling security organizations can leverage to make progress they probably couldn’t make otherwise.

IT organizations in healthcare can sometimes feel like they are at odds with compliance teams. This is because the standards and implementation specifications outlined in the HIPAA Security Rule have a technical impact, but are usually tracked and managed by nontechnical compliance teams.

The bottom line is that the compliance team’s interpretation of implementation specifications must be in sync with the technical security team’s. One way to do this is to reach out to the compliance organization and walk through its existing compliance strategy with its people.

Compare your interpretation with the compliance team’s by going through (in detail, and drawing on your technical understanding) how members of that team feel you do or don’t meet the requirement. Then discuss with them candidly where exceptions and complexities might lie. If you identify gaps in understanding on either side, discuss each gap and what to do about it until you reach agreement. It’s likely to be the case that interpretations will differ.

You can leverage some of the recent changes in HIPAA Security Rule enforcement to help you meet pernicious, difficult-to-implement controls in certain circumstances when they intersect with vendors and business associates. For example, under HITECH, compliance and enforcement of the Security Rule now extend to business associates—those entities that are not part of your company but might support you when it comes to handling and processing PHI.

To get in-depth analysis and recommendations on how to leverage the HIPAA requirements to further your security efforts, download the full report on HIPAA security compliance.

Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.