Their Claim to Fame – So-Called HIPAA-Compliance Experts and Tools

January 15, 2015, Andrew Hicks, Managing Principal, Coalfire

Have you noticed how many vendors and software solutions are out there claiming they can make you HIPAA-compliant?  Well, at the end of the day that’s simply not possible because only you can make your organization HIPAA-compliant.  I came up with a list of “red flags” that I typically see from vendors, contractors and the like.

1. They don't spell HIPAA right…I see HIPPA and HIPPO, and even worse.

2. They don't perform testing to ensure that controls are operating effectively.

3. They use the Security Rule as a checklist instead of interpreting the implementation specification to determine what controls should be in place. For instance, many "checklist" HIPAA assessors won't look at firewall rules because HIPAA doesn't mention firewalls.

4. They say they will "certify" your environment or use "bona fide" methodologies, when in fact, there is no such thing.

5. Pricing does matter. Assessors that low-ball on price are probably just doing a gap assessment (no detailed testing) or don't know what they’re doing and those that high-ball on price (e.g., CPA firms) are taking you for a ride.

6. They use QSAs or IT security generalists with no healthcare or HIPAA experience. Look for the credentials HCISPP, certified HITRUST assessor, CIPP, etc.

7. They say that a SOC assessments is equivalent to a HIPAA assessment. This is completely untrue.

8. They think a risk assessment and a compliance assessment are the same thing. They aren't.

9. They can't explain their methodology for performing a HIPAA assessment. Back to #3, they should be able to walk you through their methodology and identify exactly how they will test against every standard and implementation specification.

10. They should come across as well versed on the differences between HIPAA, HITECH, and the Omnibus Rule. if they don't, they won't be offering you a customized assessment approach for your organization, hence the term, "checklist" auditor.

Lesson learned?  Take the time to conduct your due diligence before you engage with a vendor or a contractor because you get what you pay for.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics