With all the talk of compliance to meet the requirements of the Health Insurance of Portability and Accountability Act of 1996 (otherwise known as HIPAA) and the different criteria that needs to be met to pass such an audit, it is easy to lose sight of the real fundamentals of HIPAA. What does compliance really mean? Well, obviously it refers to the steps that need to be taken to pass the tests mandated by HIPAA [audits]. However, compliance really just means to have good standard operating procedures (SOP). Canonizing these procedures into a formal requirement is the true point of HIPAA.
Because the idea of ‘best practices’ is not something that can be objectively agreed-upon, HIPAA was passed with the input of thousands of experts. Instead of focusing on checking off the boxes in a compliance checklist, what companies should really consider doing is teaching employees about HIPAA at a fundamental level and imparting a sense of what true security is: both in digital and physical uses of the word. The risk of not doing so is absolutely staggering. An annual data breach study conducted by the Ponemon Institute listed the average cost of a breach to the covered entity at $3.5 million (this amount has increased 15% since 2013). In addition to the tangible loss of financial capital, there is also the profound loss of confidence that a breach would impart on one’s customers. Loyalty would be irreparably damaged.
To avoid a breach that could result from a security hole, first understand the complete life cycle of the data before even taking the first steps to start checking off HIPAA Compliance requirements. Perceive where the data goes from a top-down perspective, then try to predict breaches before they happen. Be cognizant of the information life cycle as well. Make sure that all steps in the process are fundamentally sound by a security perspective.
Many have said that ‘compliance is just a snapshot in time’. What this means is that just compliant exists today, does not mean that compliant exist tomorrow or the next day. Today no mistakes were made, maybe tomorrow a document was left in an insecure place. On that day, you would not be compliant. When maintaining a cycle of security fundamentals (and making sure that every employee is aware of the reasons and procedures involved) with a system in place, it is easier to see abnormalities or mistakes before they happen. With a well-designed and maintained security environment, it is less likely to have to overhaul the SOPs to gain/regain compliance. Starting with a strong base of security is also often much cheaper than launching a complete compliance initiative after the fact.
It is also noteworthy to mention that even with a well-designed security framework, protected health information (PHI) is a unique kind of beast. The risk of compromise is so much higher than many other industries (even while following all HIPAA guidelines and security requirements), a breach could still occur. With a good sense of security awareness, a well-informed employee pool, and a fundamental attention to the core concepts in security, it is possible to not only maintain compliance but also keep the data secure.