The Path to HIPAA Compliance

         The path to HIPAA compliance has many variables, and includes several different assessments, but fortunately there are services available to assess your business with respect to HIPAA standards.

Risk Assessment:

     A useful tool which has helped point numerous organizations in the right direction for compliance is a “HIPAA Risk Assessment”. Risk Assessments are useful in providing benchmarks for where your service should be, as compared to where you currently are. This is often referred to as a GAP Analysis with respect to HIPAA standards. Comprehensive security scans provide gap analyses and recommendations, which can act as a “roadmap” for HIPAA compliance. There’s a human interaction component too. Interviews are conducted with IT, Security and Business stake holders to provide a holistic review of your compliance posture.

Data Encryption:

      Data encryption. As the HIPAA regulations mandate that patients must be able to request electronic health records, data encryption will be a mainstay for your organization as long as HIPAA rules govern the industry. It is important to make sure your encryption standards are comprehensive and up to date as audits will focus heavily into your encryption standards. Primarily there are 3 types of data that needs to be encrypted: Data At Rest – On laptops, desktop and storage servers. Data In Use – Data on servers that are constantly being accesses and rarely turn off. Lastly, Data In Motion – This refer to emails primarily and possibly large file transfers.

Additionally, according to the US Department of Health and Human Services (HHS), “Protected health information (PHI) is rendered unusable, unreadable, or indecipherable to unauthorized individuals if;


An encryption algorithm meets 45 CFR 164.304 (the “definition of encryption


Process or key that might enable decryption has not been breached


“Decryption tools should be stored in a device or at a location separate from the data they are used to encrypt or decrypt

           It is important to understand both the magnitude and urgency of these newly mandated changes to HIPAA. While the deadline may have passed and no actions have been taken on your part to be compliant, it may be only a matter of time before your business is audited. Stay one step ahead and protect yourself, your client’s rights to privacy, and most importantly; your company’s reputation.