HIPAA Compliance is an On-going Process

November 20, 2013

It is not hard to find “HIPAA Certified” in a Google search and if it applies to an individual it can have some validity. However it it implies that an organization or a software program is HIPAA Certified it is certainly false. There are many ways to try and get around the fact that no one has the authority to certify. A lot of companies will say HIPAA Certified and then give a long and complex explanation of how they arrived at that conclusion.

Why hasn’t HHS given someone like Joint Commission or ACHC authority to do a site visit, declare you compliant and give you a certificate like they do with accreditation. HHS’ explanation is that they vie HIPAA compliance as a process not an event. As the following article eloquently states, things change. State laws change, federal laws and regulations change, your business model changes and so forth.

If you are not engaged in HIPAA compliance activities on at least a monthly basis you are falling behind. An interesting example are the organizations that blithely signed an attestation that they were compliant with the meaningful use core requirements thinking that no one would ever check. When Figliozzi & Company began sending out audit letters there were many requests for backdated risk assessments. I don’t know of anyone willing to risk a fraud charge by backdating.

So, you need a plan, you need reminders, you need documentation of your HIPAA compliance activities or soon you will find yourself trying the impossible job of catching up. With our SaaS method we supply you with all of this including a personal Helper, a privacy and security expert who understands that part of their job is nagging if necessary. Let us help you get compliant, stay compliant, and prove compliance with our Compliance Meter(tm).

Here is the article:

The challenges of compliance

Scott & Scott LLP

Brian Von Hatten

This firm often assists regulated entities with compliance-related concerns such as information security, due diligence, software licensing, and data breach notifications. As the universe of compliance obligations expands, so too does a company’s exposure portfolio. This increase in liability may result from a software publisher audit, failure to provide notice to customers about a data breach, or governmental agency fines. Compliance, like many other aspects of the business world, is a balance of risks. Unfortunately, it often takes an organization being rebuked in some fashion before it realizes the importance of failure to be in compliance.

One of the most important tasks an organization can do with respect to compliance is to view its relevant policies and procedures as a living, dynamic set of documents. Compliance policies must constantly evolve with the changing environment for several reasons, but consider the following:

First, the laws vary. Consider, for example, data breach notice laws. Almost every state has its own identify theft protection and notice statute. While they generally track the federal guidelines governing financial institutions and health care providers, they can vary substantially.

Second, the laws may change or be preempted. Whether it is a state legislature’s revising a consumer protection statute, or a federal law or agency regulation change, it is safe to say that these are changing literally all the time.

Finally, the business may change. It may enter into new geographical markets, offer new products, or deal with concerns that implicate new laws.

These are only a few of the supporting reasons for reevaluating compliance obligations, but they also suggest that companies should consider these obligations as dynamic and worthy of continuous scrutiny.


Back to News