06/22/2017     Raymond Posa, MBA

HIPAA Security Regulations

Regarding the post, the IT guy is not correct in
suggesting that a lock on the server closet is
required in order to be compliant. It is a very
good suggestion, but it is not mandated.

One of the things to understand about the HIPAA
security standards is that they are purposely
written in very open language, so everything is in
shades of gray, very little is black and white.
The reason for this is that the standards apply to
all covered entities from a single provider office
to the largest hospitals, so writing very specific
requirements that fit both large and small would
be impossible. Rather, the regulation outlines the
goals and purpose and the individual can address
the requirements in a way that best fit their
practice.

With that being said, in the event of a breach of
some type and during an investigation, they will
scrutinize your approach to the security standards
and since it is all gray and the ball is in the
government’s court you could be in a difficult
situation. I tell my clients, the more pluses in
your column the stronger your defense in an audit
or investigation.

So is a lock on the sever door mandatory, no; but
a $20 lock on the door is real cheap insurance and
a great plus in your column.

Finally, the writer asks what else they could be
doing, the answer is easy. Do a thorough risk
analysis. Your risk analysis will identify any
weaknesses in the practice and then you can
remediate them. While many IT companies are aware
of some of the requirements of the security
standard, most are not fully versed in the entire
regulation and often end up doing an incomplete
job. It is always best to get a HIPAA expert in to
do your initial risk analysis, so it is done
properly and completely, from there, they can work
with your IT company and then they can help the
practice stay compliant going forward.

Raymond Posa, MBA, Farmingdale, NJ

Other messages in this thread:

---

10/01/2004    Mark J. Tuccio, D.P.M.

Tools for HIPAA Security Regulations

RE: Tools for HIPAA Security Regulations

The article written by Mr. Posa in the September
issue of Podiatry management touches on many of
the different parts of the standard. He offers
different software solutions. My question is for
our elected colleagues at APMA, ACFAS, ABPS,
etc. Are you able to help us out with a low-cost
alternative to HIPAA tracking tools that address
gap analysis, developing policies and procedures
for our practices, implementation of policies
and procedures in our practices and overall
compliance with this standard?

Mark J. Tuccio, D.P.M.
Jamestown, NY

Editor’s note: The APMA has already released a
high quality HIPAA Security Manual, written by
Kevin West, Esq. which is available for free to
members at http://www.apma-online.org/members/

Additionally, PM will publishing an article by
Mr. West prior to the implementation of these
new regs. We have no knowledge of what
organizations will be doing. Be on the lookout
for lectures presented by Mr. Posa, Mr. West,
and Dr. Block on this topic.