HIPAA Compliance: A Demanding Effort Yielding Deserved Benefits

Gerald Drake III, IT Security Consultant

(Gerald Drake recently guest blogged for Ipswitch File Transfer, which offers integrated file transfer solutions. You can also read this blog post on the Ipswitch blog.) 

The heat is on!  Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has never been more scrutinized and highly regarded.  The push towards compliance has fueled businesses large and small to explore the options and necessary requirements of HIPAA compliance.  Specifically, any organization that meets the HIPAA definition of a covered entity or business associate is subject to and under the HIPAA compliance umbrella, regardless of how far removed they are from the point of treatment, and is subject to audit, fines, and penalties in the event of a breach.  This includes those organizations that create, receive, maintain, or transmit protected health information (PHI) on the covered entities behalf, such as business associates and their subcontractors.  Don’t tread lightly- compliance with HIPAA, specifically the Security Rule, is a daunting task that many organizations will face, either through a proactive approach, in response to an OCR audit, or in the instance of a covered entity seeking satisfactory assurances.

Every organization’s goal is to achieve compliance, but not all organizations are created equal.  With security breaches occurring at an alarming rate, covered entities are searching for the right vendors that can secure their data appropriately.  And why shouldn’t they?  Business associates provide a level of service to these covered entities, which directly translates into an immediate risk, albeit reputational in nature.  By focusing on and achieving HIPAA compliance, business associates will increase their security posture, as well as safeguard the confidentiality, integrity, and availability of the covered entity’s data.  Additionally, HIPAA-compliant business associates will reduce their risk exposure, enforce best practices, and expand consumer confidence, which cannot be undervalued. 

An organization may ask itself, ‘what is the path towards compliance?’  The path towards compliance starts with performing a HIPAA Security Rule assessment, which can be performed internally or by an independent, third party assessor.  The HIPAA Security Rule is made up of Administrative, Technical, and Physical Safeguards, as well Organizational and Policy/Procedure Requirements.  Each safeguard contains specific standards and implementation specifications that must be satisfied in order to validate compliance. The resulting compliance assessment of the HIPAA Security Rule focuses on common IT general controls, such as: risk management, physical and logical access control, protection from malicious software, disaster recovery, information security policies and procedures, workstation security, and encryption of data in transit and at rest. 

A risk based approach to HIPAA compliance is critical to appropriately securing data, specifically ePHI.  The benefits are both quantitative and qualitative.  Consumer confidence cannot be quantified, but rest assured, a proven HIPAA-compliant business associate gains an immediate competitive advantage over its non-compliant competition.   

Don’t be left on the outside looking in.  Initiate the HIPAA compliance process because it is no longer a request, it’s required.  

Gerald Drake III


Gerald Drake III — IT Security Consultant

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS