Who Certifies HIPAA Compliance?

The short answer is no one. Unlike PCI, there is no one that can “certify” that an organization is HIPAA compliant. The Office for Civil Rights (OCR) from the Department of Health and Human Services (HHS) is the federal governing body here. And, HHS does not endorse or recognize the “certifications” made by private organizations. There is an evaluation standard in the Security Rule § 164.308(a)(8), and it requires you to perform a periodic technical and non-technical evaluation to make sure...

Read More

How do I become HIPAA compliant? (a checklist)

A little housekeeping before we answer the question. This article is not a definitive list of what is required for HIPAA compliance; you should assign a Privacy Officer to review each rule in its entirety. This article is intended to point you in the right direction. So you have determined that you are handling protected health information (PHI) and that you need to be HIPAA compliant. What’s next? What steps need to be taken in order to become HIPAA compliant?

Read More

HIPAA Physical Safeguards Explained, Part 2

In a previous blog post titled, HIPAA Physical Safeguards Explained, Part 1, we covered the basics of the Physical Safeguards and the first of four standards. In this post, we’ll cover the remaining three standards: Workstation Use, Workstation Security and Device and Media Controls. If you skipped part 1 of the series, you should read that first. Otherwise, Let’s dive right in. The Workstation Use standard states your entity must define what each workstation can be used for, how the work on...

Read More

Do I Need To Be HIPAA Compliant?

If you handle what’s called protected health information (PHI), then this is an important question to be asking because HIPAA violations can result in some serious penalties. What is PHI you ask? Good question. PHI is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.

Read More

HIPAA Physical Safeguards Explained, Part 1

Update 10/27/2013: You can read part 2 of this series here Physical Safeguards are a set of rules and guidelines outlined in the HIPAA Security Rule that focus on the physical access to Protected Health Information (PHI). In contrast, Administrative Safeguards focus on policy and procedures, while Technical Safeguards focus on data protection. When we think about PHI, we typically think about the digital form of PHI: database records, PDF patient files, and MRI scan images.

Read More