Think a strong information security posture means you’re complying with HIPAA?

Without proper documentation for government regulators, infosec protocols might safeguard data without meeting federal criteria.
By Tom Sullivan
09:06 AM

Adam Greene, Partner at Davis Wright Tremaine, says even mature programs can lack documentation regulators seek. 

By now it’s a well-trodden cliché to say that even the most stringent compliance with HIPAA does not mean sensitive health data is actually secure – but what about an inverse of sorts?

That being the idea that strong security can be transformed into good regulatory compliance.

“Good security is not enough to demonstrate HIPAA compliance,” said Adam Greene, Partner at the law firm Davis Wright Tremaine. “Even very mature information security programs are often lacking documentation that the primary regulator is expecting.”

It’s not an entirely uncommon situation for hospitals to be in, either. Greene said that’s because information security shops and compliance teams often are not aligned closely enough to make it happen.

“The challenge I often see is that compliance and information security are in separate silos. Information security professionals are really good at information security, but have not received education on what regulators are seeking to demonstrate compliance,” Greene said. “Compliance staff may be better at understanding how to demonstrate compliance, but may not feel like they have the competence or authority to bring their compliance skills to the information security side of the house.”

Given that scenario, how can hospital and healthcare executives bridge that chasm to ensure that information security teams and compliance efforts operate in lockstep to serve both purposes?

“It is a combination of documenting your security efforts in a way that will enable you to get credit for everything positive that you have done, ensuring that your risk assessment is consistent with the regulator's ideas, which may differ significantly from many information security professional's preferred approach, and understanding the level of detail that the regulator expects to see in policies and procedures,” Greene said.

Greene is scheduled to speak at HIMSS19 during a session titled “Turning Good Information Security Into Good HIPAA Compliance,” on Wednesday, February 13, from 11:30-12:30 p.m. in room W320.

HIMSS19 Preview

An inside look at the innovation, education, technology, networking and key events at the HIMSS19 global conference in Orlando.

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com 

Healthcare IT News is a HIMSS Media publication. 

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.