By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Fly First Class and Pay Economy for HIPAA Compliance
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Fly First Class and Pay Economy for HIPAA Compliance
eHealth

Fly First Class and Pay Economy for HIPAA Compliance

Danny Lieberman
Danny Lieberman
Share
7 Min Read
SHARE

Contents
  • Yikes – How can I do this HIPAA compliance thing for as little money as possible?
  • Option 1 – DIY
  • Option 2 – Hire a HIPAA compliance consultant
  • How to get the most out of a HIPAA consulting engagement
  • Threat scenarios are the reality. Compliance regulation is the theory.

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Yikes – How can I do this HIPAA compliance thing for as little money as possible?

You have 2 options:

Option 1 – DIY

You can read the HHS documentation and and do it yourself. This is a not a bad option if you have the time and patience and have a solid understanding of information security and privacy compliance.

More Read

Dealing With Negative Feedback on Your Hospital Social Media
Social Media for Veterans
How Healthcare Social Media Links to Better Outcomes
Prepare Your Healthcare Website for Google’s Mobile-Friendly Algorithm Update
Social Media: The Good, The Bad & The Ugly

Even if you have the security background, be prepared to spend a lot of time reading documentation and getting up to speed on the relevant HIPAA security safeguards.

My colleague Dr. Martin Wehlou is a physician, software engineer and CISSP. Martin could do it himself. But – even if you are a Stanford Medical School graduate, you may want to get expert help on HIPAA compliance for your practice. Do not assume you understand.

If you are mobile app developer, think twice about the DIY strategy.

Consider that mobile healthcare medical devices need to be cleared by the FDA with a 510(K) submission for patient safety and also meet HIPAA requirements for patient privacy and security. Even though a medical device vendor itself is not a HIPAA covered entity, the vendor is considered a business associate to a covered entity and may be required to demonstrate provable security.

Option 2 – Hire a HIPAA compliance consultant

By now you realize that you should probably retain a HIPAA security and compliance consultant who will walk you through the security safeguards in CFR 45 Appendix A and help you understand what you need to implement.

How to get the most out of a HIPAA consulting engagement

You want 2 things from your HIPAA consultant:

1) You want him or her to help you consider multiple threat scenarios that threaten patient data, and do that for your specific business (medical practice, hospital, nursing home etc).

Ask you HIPAA compliace consultant to help you build a number probable threat scenarios – considering what could go wrong – employees stealing a hard disk from a nursing station in an ICU where a celebrity is recuperating for the information or a hacker sniffing the hospital wired LAN for PHI, or residents surfing adult sites with their radiology iPads.

2) Ask your HIPAA consultant to prioritize a set of the most cost-effective safeguards for your operation (and not copy and paste the last report he did for some other hospital).

Threat scenarios are the reality. Compliance regulation is the theory.

Dveloping realistic HIPAA compliance threat scenarios (as opposed to checking off the regulatory checklist) requires some work.

Threat scenarios are not “one size fits all”.

The threat scenarios for an AIDS testing lab using medical devices that automatically scan and analyze blood samples, or an Army hospital using a networked brain scanning device to diagnose soldiers with head injuries, or an implanted cardiac device with mobile connectivity are all totally different.

For a healthcare organization of up to 1000 employees and 1-3 physical locations, here is a rough rule of thumb to help you estimate how much time you should invest in the process.

Allocate 3-5 days brainstorming threat scenarios in a conference room with doctors, nurses and administrative staff – up to 7 people should do the job.

The process of brainstorming threat scenarios for HIPAA compliance has 2 steps:

  1. Step 1 – consider how much your assets (people, systems, business, patient data) are worth in dollars and cents. Then consider, the likelihood of occurrence and cost of damage. These are all things that can be estimated or measured.
  2. Step 2 – consider likely threats, for example: radiology tablets infected by malware and downtime that affects your ability to provide service is 1 threat scenario.

You and your HIPAA consultant should then spend another 2-3 days, analyzing the data and building a threat model. A good HIPAA consultant will help you look at your business from the perspective of an attacker and then recommend specific cost-effective, security countermeasures to mitigate the damage from the most likely attacks.

Now take the threat model back to the team and run it by them for a sanity check in a 1-2 hour meeting.

After the sanity check with the team that constructed the threat scenarios, you and your HIPAA consultant need to calculate your Value at Risk. Calculating VaR will help shed light on where to save money and where to spend money.

Using threat analysis for HIPAA compliance gives you 3 good things:

  1. It gives you the right security safeguards, cheaper and more effective than implementing the entire checklist. Doing the right thing is good.
  2. Managers, especially finance managers, relate well to the concepts of threat modeling. A good CFO understands the notion of value at risk, and being a good CFO, will want to implement the right compliance controls at the lowest cost. This is not a bad thing.
  3. When you use threat scenarios, you create a common language between physicians and IT. This is a very good thing.
TAGGED:HIPAA compliance
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

contamination
Batch Failures And The Hidden Costs Of Contamination
Health Infographics
October 21, 2025
Medication Management For Seniors
Simplifying Medication Management For Seniors
Infographics Senior Care
October 21, 2025
Guide To Pursuing a Career in Nursing as a Foreigner in the USA
Collaboration Is the Prescription for Better Patient Care
Health
October 20, 2025
Epidemiological Health Benefits
Personal and Epidemiological Health Benefits of Blood Pressure Management
Health
October 13, 2025

You Might also Like

Engaging Patients in Palliative Care

December 2, 2012

#SXSW 2013: Top 10 Healthcare Takeaways

March 15, 2013
Artificial IntelligenceGlobal HealthcareHealth careMedical EducationMedical RecordsTechnology

How AI In Healthcare Can Improve Patient Outcomes

October 15, 2018

Cleveland Clinic Offering Global Care Air Rescue and Evacuation Services Program For an Annual Fee

February 25, 2011
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?