What HIPAA says you should do

You are responsible to ensure the confidentiality, integrity, and availability of all private health information (PHI) you create, receive, maintain, or transmit.

You must:

  1. Protect it against any anticipated dangers to its security or integrity.
  2. Protect it against any anticipated uses or disclosures that are not permitted or required.

That means you need to:

  1. Identify what kind of PHI you process
  2. Consider how it moves inside and outside your company
  3. Consider what threatens its security (the dangers you anticipate)
  4. Evaluate your current security safeguards
  5. Assess the likelihood of a breach of your safeguards
  6. Put a plan in place to reduce the likelihood until it's low
  7. Make a reasonable amount of effort to implement the plan

When evaluating vendors, ask them to tell you how they assess and control risk. Never do business with a vendor who's standard is lower than what your clients expect from you.

If you follow this process, audits will be easy, and you won't spend more money than necessary.

I hope you found this valuable

I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.