The phrase “HIPAA Assessment” is thrown around to mean many things. Just like many other terms in cybersecurity it can be used and misused. Without a good understand of what HIPAA means and what it means to have a full HIPAA Assessment, you could be putting your healthcare business in jeopardy.
Part 1: Before the HIPAA Assessment
Understanding what HIPAA is and why it’s important will help you make better judgements about your compliance requirements even without firm legal or regulatory guidance. Too often we try to remove the brain power requirement from these exercises, but we usually end up getting bit in the butt for it. You can’t make a checklist for every situation. Sometimes you just need some good old critical thinking.
HIPAA was created the protect individuals’ health care information. That’s it, nothing more. The goal is the prevent any healthcare information that can be attributed to an individual from being released, revealed, leaked, disclosed, whatever… without their consent. There are a few additional rules and caveats, but the previous sentences cover about 99% of it.
The Privacy Rule covers all healthcare information: written, spoken, smoke signaled, flown behind a plane on a banner, etc. The Security Rule applies to healthcare information in digital form. This is where the bulk of any HIPAA Assessment will take place, so that’s where we put most of our focus. The Security Rule is broken down into three areas of concern:
- Administrative Safeguards (the programs, processes, planning, documentation, and other boring parts that most people want to skip right over)
- Physical Safeguards (protect the castle where you store the individuals’ healthcare information)
- Technical Safeguards (securing the IT systems where the information is processed and stored)
When most people think of HIPAA, they only think of the Technical Safeguards. It’s hard to blame people for the limited view, though. Most people only think of the technology when we talk about cybersecurity in general. We’ve been fed the picture of the hoodied hacker in a dark room banging away at the keyboard for so long, that’s all that comes to most minds when we discuss the topic.
Stay tuned for Part 2: Understanding the HIPAA Assessment methodology. We’ll dive into the safeguards themselves, talk about the controls, and what we look for when assessing and auditing some of the more complex controls.
Already know you need help with HIPAA?
Visit our services page to see how we can help
Contact us today for a free and confidential consultation.