HIPAA compliance is no myth
A sound understanding of the Health Insurance Portability and Accountability Act (HIPAA) and how to apply its requirements in practical, real-world settings is the foundation of a successful compliance program—one that fulfills an organization’s legal obligations while defending patients, staff, and the organization from cyberattacks and damaging privacy violations.
Most organizations don’t set out to violate HIPAA, but misunderstanding the law can lead straight to a breach that could have been easily prevented. Furthermore, HIPAA myths can be contagious. Once one starts to spread, it can negatively affect privacy and security across organizations.
“Generally, these myths undermine the importance and impact of the HIPAA Security and Privacy rules,” says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. “Some organizations prefer to believe them as justification for not proactively implementing good security and privacy controls.”
As with any misconception, HIPAA myths are spread largely due to a lack of dedicated expertise. A complacent attitude can lead organizations to simply accept word of mouth rather than checking HIPAA themselves. Often, organizations put the wrong person in charge of HIPAA compliance, says Kevin Beaver, CISSP, independent security consultant at Principle Logic, LLC, in Atlanta. Healthcare professionals have a role to play in privacy and security and can provide valuable information on how privacy and security impact patient care functions, but a HIPAA officer should be an individual with a background in law, IT, or security, he says.
Physicians are the experts in patient care; however, security is an entirely different discipline. Sometimes, physicians decide to overrule security professionals—even those physicians themselves have hired, Beaver says. That leads to questionable choices that harm the organization’s security. Just as a security officer wouldn’t prescribe medication to a patient, a physician shouldn’t make network security decisions.
Source: News & Analysis