Think a strong information security posture means you’re complying with HIPAA?

By now it’s a well-trodden cliché to say that even the most stringent compliance with HIPAA does not mean sensitive health data is actually secure – but what about an inverse of sorts?

That being the idea that strong security can be transformed into good regulatory compliance.

“Good security is not enough to demonstrate HIPAA compliance,” said Adam Greene, Partner at the law firm Davis Wright Tremaine. “Even very mature information security programs are often lacking documentation that the primary regulator is expecting.”

It’s not an entirely uncommon situation for hospitals to be in, either. Greene said that’s because information security shops and compliance teams often are not aligned closely enough to make it happen.

“The challenge I often see is that compliance and information security are in separate silos. Information security professionals are really good at information security, but have not received education on what regulators are seeking to demonstrate compliance,” Greene said. “Compliance staff may be better at understanding how to demonstrate compliance, but may not feel like they have the competence or authority to bring their compliance skills to the information security side of the house.”

Given that scenario, how can hospital and healthcare executives bridge that chasm to ensure that information security teams and compliance efforts operate in lockstep to serve both purposes?

“It is a combination of documenting your security efforts in a way that will enable you to get credit for everything positive that you have done, ensuring that your risk assessment is consistent with the regulator’s ideas, which may differ significantly from many information security professional’s preferred approach, and understanding the level of detail that the regulator expects to see in policies and procedures,” Greene said.

Greene is scheduled to speak at HIMSS19 during a session titled “Turning Good Information Security Into Good HIPAA Compliance,” on Wednesday, February 13, from 11:30-12:30 p.m. in room W320.

Twitter: SullyHIT
Email the writer: [email protected] 

Healthcare IT News is a HIMSS Media publication. 

Source: Read Full Article