By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Fly First Class and Pay Economy for HIPAA Compliance
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Fly First Class and Pay Economy for HIPAA Compliance
eHealth

Fly First Class and Pay Economy for HIPAA Compliance

Danny Lieberman
Danny Lieberman
Share
7 Min Read
SHARE

Contents
  • Yikes – How can I do this HIPAA compliance thing for as little money as possible?
  • Option 1 – DIY
  • Option 2 – Hire a HIPAA compliance consultant
  • How to get the most out of a HIPAA consulting engagement
  • Threat scenarios are the reality. Compliance regulation is the theory.

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Yikes – How can I do this HIPAA compliance thing for as little money as possible?

You have 2 options:

Option 1 – DIY

You can read the HHS documentation and and do it yourself. This is a not a bad option if you have the time and patience and have a solid understanding of information security and privacy compliance.

More Read

Company Sues Former Employee Over Twitter Account
Interview/Podcast: HIT Interoperability
Crowdsourcing Doctors’ Insights on What Works Best
Wal-Mart Clinics Go Live In the Cloud with Smart Care Doc–Telemedicine
How to Make Your Blogs Go Viral

Even if you have the security background, be prepared to spend a lot of time reading documentation and getting up to speed on the relevant HIPAA security safeguards.

My colleague Dr. Martin Wehlou is a physician, software engineer and CISSP. Martin could do it himself. But – even if you are a Stanford Medical School graduate, you may want to get expert help on HIPAA compliance for your practice. Do not assume you understand.

If you are mobile app developer, think twice about the DIY strategy.

Consider that mobile healthcare medical devices need to be cleared by the FDA with a 510(K) submission for patient safety and also meet HIPAA requirements for patient privacy and security. Even though a medical device vendor itself is not a HIPAA covered entity, the vendor is considered a business associate to a covered entity and may be required to demonstrate provable security.

Option 2 – Hire a HIPAA compliance consultant

By now you realize that you should probably retain a HIPAA security and compliance consultant who will walk you through the security safeguards in CFR 45 Appendix A and help you understand what you need to implement.

How to get the most out of a HIPAA consulting engagement

You want 2 things from your HIPAA consultant:

1) You want him or her to help you consider multiple threat scenarios that threaten patient data, and do that for your specific business (medical practice, hospital, nursing home etc).

Ask you HIPAA compliace consultant to help you build a number probable threat scenarios – considering what could go wrong – employees stealing a hard disk from a nursing station in an ICU where a celebrity is recuperating for the information or a hacker sniffing the hospital wired LAN for PHI, or residents surfing adult sites with their radiology iPads.

2) Ask your HIPAA consultant to prioritize a set of the most cost-effective safeguards for your operation (and not copy and paste the last report he did for some other hospital).

Threat scenarios are the reality. Compliance regulation is the theory.

Dveloping realistic HIPAA compliance threat scenarios (as opposed to checking off the regulatory checklist) requires some work.

Threat scenarios are not “one size fits all”.

The threat scenarios for an AIDS testing lab using medical devices that automatically scan and analyze blood samples, or an Army hospital using a networked brain scanning device to diagnose soldiers with head injuries, or an implanted cardiac device with mobile connectivity are all totally different.

For a healthcare organization of up to 1000 employees and 1-3 physical locations, here is a rough rule of thumb to help you estimate how much time you should invest in the process.

Allocate 3-5 days brainstorming threat scenarios in a conference room with doctors, nurses and administrative staff – up to 7 people should do the job.

The process of brainstorming threat scenarios for HIPAA compliance has 2 steps:

  1. Step 1 – consider how much your assets (people, systems, business, patient data) are worth in dollars and cents. Then consider, the likelihood of occurrence and cost of damage. These are all things that can be estimated or measured.
  2. Step 2 – consider likely threats, for example: radiology tablets infected by malware and downtime that affects your ability to provide service is 1 threat scenario.

You and your HIPAA consultant should then spend another 2-3 days, analyzing the data and building a threat model. A good HIPAA consultant will help you look at your business from the perspective of an attacker and then recommend specific cost-effective, security countermeasures to mitigate the damage from the most likely attacks.

Now take the threat model back to the team and run it by them for a sanity check in a 1-2 hour meeting.

After the sanity check with the team that constructed the threat scenarios, you and your HIPAA consultant need to calculate your Value at Risk. Calculating VaR will help shed light on where to save money and where to spend money.

Using threat analysis for HIPAA compliance gives you 3 good things:

  1. It gives you the right security safeguards, cheaper and more effective than implementing the entire checklist. Doing the right thing is good.
  2. Managers, especially finance managers, relate well to the concepts of threat modeling. A good CFO understands the notion of value at risk, and being a good CFO, will want to implement the right compliance controls at the lowest cost. This is not a bad thing.
  3. When you use threat scenarios, you create a common language between physicians and IT. This is a very good thing.
TAGGED:HIPAA compliance
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

dental care
Importance of Good Dental Care for Health and Confidence
Dental health Specialties
October 2, 2025
AI in Healthcare
AI in Healthcare: Technology is Transforming the Global Landscape
Global Healthcare Policy & Law Technology
October 1, 2025
Choosing the Right Swimwear for Health and Safety
News
September 30, 2025
sports concussions
Concussion In Sports: How Common They Are And What You Need To Know
Infographics
September 28, 2025

You Might also Like

vaccinations
Public HealthSocial Media

Vaccines Matter: A Public Health Rant

February 4, 2015
HIE
BusinesseHealthHealth ReformHospital AdministrationMedical RecordsPolicy & LawPublic HealthTechnology

Collaboration and Federation: IHE Creating Direct Project Provider Directory

June 7, 2014

Person-Centered HealthCare BONUS – CONTEST!: ePatients – TELL US YOUR STORY!

December 14, 2012
mobile healthcare industry
eHealthMobile HealthNewsTechnology

Healthcare Industry Enters the Mobile World

February 28, 2013
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?