Knock Knock. Who’s There? HIPAA. HIPAA Who? I Can’t Tell You.
Shortly after the Health Insurance Portability and Accountability Act (HIPAA) Security Rule was finalized in 2003, Family Service League, Inc. (FSL) began the process of determining whether it was in compliance. FSL was able to handle the required assessment in-house using Excel spreadsheets and documents from the HHS website.
It was a simpler time:
- Most servers were onsite and data resided within a WAN’s virtual walls
- The cloud was still a weather term
- Bills were transmitted using modems and fax machines
- The only users who had laptops were the top execs
- There were no electronic health records (EHRs) to speak of
- Blackberry was king
- The iPad was just a gleam in the apple of Jobs’s eye
When the Health Information Technology for Economic and Clinical Health (HITECH) Act was finalized in 2013, things became more complicated. Software as a service (SaaS) became the norm, and data in transit took on new meaning. The promise of Meaningful Use funds put EHRs on the map and into practice. Cell phones had more computing capacity than the original IBM PC. And if you did any business with a covered entity, you were required to follow all HIPAA regulations under the Omnibus Rule.
Doing an in-house HIPAA assessment was no longer feasible: the expertise needed to conduct it was vast and the mechanism to keep track of it was unwieldy. The threat of an audit, or even worse, a breach, was untenable. FSL did not want to simply have an assessment “done” but rather wanted to be able to assess, identify weaknesses, prioritize remediation, and then follow through.
This session will illustrate how FSL reached the strategic decision to use an outside vendor to assist with its HIPAA assessment, and how we worked together collaboratively to achieve our goal of HIPAA compliance within one year.
The 2017 audit process is rolling out. Are you ready?