By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    learn to recognize and treat yeast infections
    Most Commonly Asked Questions About Yeast Infections
    November 17, 2021
    Advanced lung cancer diagnosis systems used by doctors
    Advanced Lung Cancer Diagnosis Systems Used by Doctors
    March 6, 2022
    The Top Benefits of a Wearable Blood Pressure Monitor Watch
    The Top Benefits of a Wearable Blood Pressure Monitor Watch
    June 13, 2022
    Latest News
    Beyond Nutrition: Everyday Foods That Support Whole-Body Health
    June 15, 2025
    The Wide-Ranging Benefits of Magnesium Supplements
    June 11, 2025
    The Best Home Remedies for Migraines
    June 5, 2025
    The Hidden Impact Of Stress On Your Body’s Alignment And Balance
    May 22, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Chronic Disease Prevention Remains Top Priority
    September 9, 2017
    Worst Editorial of the Week Award
    September 13, 2017
    Are the Uninsured Getting a Free Ride?
    May 16, 2011
    Latest News
    Let Your Lawyer Handle the Work Before You Pay Medical Costs
    July 6, 2025
    Top HIPAA-Compliant Messaging Apps for Healthcare Teams
    June 25, 2025
    When Healthcare Ends, the Legal Process Begins: What Families Should Know About Probate and Medical Estates
    June 20, 2025
    Preventing Contamination In Healthcare Facilities Starts With Hygiene
    June 15, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Fly First Class and Pay Economy for HIPAA Compliance
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > eHealth > Fly First Class and Pay Economy for HIPAA Compliance
eHealth

Fly First Class and Pay Economy for HIPAA Compliance

Danny Lieberman
Danny Lieberman
Share
7 Min Read
SHARE

Contents
Yikes – How can I do this HIPAA compliance thing for as little money as possible?Option 1 – DIYOption 2 – Hire a HIPAA compliance consultantHow to get the most out of a HIPAA consulting engagementThreat scenarios are the reality. Compliance regulation is the theory.

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Yikes – How can I do this HIPAA compliance thing for as little money as possible?

You have 2 options:

Option 1 – DIY

You can read the HHS documentation and and do it yourself. This is a not a bad option if you have the time and patience and have a solid understanding of information security and privacy compliance.

More Read

telehealth history
The Evolution of Medicare Telehealth Reimbursement
OCR Audits: The Skinny
Hey Friend, Can I Interest You in a Lung Transplant?
What Is Social Media?
eHealth collaborative brings health information technology home

Even if you have the security background, be prepared to spend a lot of time reading documentation and getting up to speed on the relevant HIPAA security safeguards.

My colleague Dr. Martin Wehlou is a physician, software engineer and CISSP. Martin could do it himself. But – even if you are a Stanford Medical School graduate, you may want to get expert help on HIPAA compliance for your practice. Do not assume you understand.

If you are mobile app developer, think twice about the DIY strategy.

Consider that mobile healthcare medical devices need to be cleared by the FDA with a 510(K) submission for patient safety and also meet HIPAA requirements for patient privacy and security. Even though a medical device vendor itself is not a HIPAA covered entity, the vendor is considered a business associate to a covered entity and may be required to demonstrate provable security.

Option 2 – Hire a HIPAA compliance consultant

By now you realize that you should probably retain a HIPAA security and compliance consultant who will walk you through the security safeguards in CFR 45 Appendix A and help you understand what you need to implement.

How to get the most out of a HIPAA consulting engagement

You want 2 things from your HIPAA consultant:

1) You want him or her to help you consider multiple threat scenarios that threaten patient data, and do that for your specific business (medical practice, hospital, nursing home etc).

Ask you HIPAA compliace consultant to help you build a number probable threat scenarios – considering what could go wrong – employees stealing a hard disk from a nursing station in an ICU where a celebrity is recuperating for the information or a hacker sniffing the hospital wired LAN for PHI, or residents surfing adult sites with their radiology iPads.

2) Ask your HIPAA consultant to prioritize a set of the most cost-effective safeguards for your operation (and not copy and paste the last report he did for some other hospital).

Threat scenarios are the reality. Compliance regulation is the theory.

Dveloping realistic HIPAA compliance threat scenarios (as opposed to checking off the regulatory checklist) requires some work.

Threat scenarios are not “one size fits all”.

The threat scenarios for an AIDS testing lab using medical devices that automatically scan and analyze blood samples, or an Army hospital using a networked brain scanning device to diagnose soldiers with head injuries, or an implanted cardiac device with mobile connectivity are all totally different.

For a healthcare organization of up to 1000 employees and 1-3 physical locations, here is a rough rule of thumb to help you estimate how much time you should invest in the process.

Allocate 3-5 days brainstorming threat scenarios in a conference room with doctors, nurses and administrative staff – up to 7 people should do the job.

The process of brainstorming threat scenarios for HIPAA compliance has 2 steps:

  1. Step 1 – consider how much your assets (people, systems, business, patient data) are worth in dollars and cents. Then consider, the likelihood of occurrence and cost of damage. These are all things that can be estimated or measured.
  2. Step 2 – consider likely threats, for example: radiology tablets infected by malware and downtime that affects your ability to provide service is 1 threat scenario.

You and your HIPAA consultant should then spend another 2-3 days, analyzing the data and building a threat model. A good HIPAA consultant will help you look at your business from the perspective of an attacker and then recommend specific cost-effective, security countermeasures to mitigate the damage from the most likely attacks.

Now take the threat model back to the team and run it by them for a sanity check in a 1-2 hour meeting.

After the sanity check with the team that constructed the threat scenarios, you and your HIPAA consultant need to calculate your Value at Risk. Calculating VaR will help shed light on where to save money and where to spend money.

Using threat analysis for HIPAA compliance gives you 3 good things:

  1. It gives you the right security safeguards, cheaper and more effective than implementing the entire checklist. Doing the right thing is good.
  2. Managers, especially finance managers, relate well to the concepts of threat modeling. A good CFO understands the notion of value at risk, and being a good CFO, will want to implement the right compliance controls at the lowest cost. This is not a bad thing.
  3. When you use threat scenarios, you create a common language between physicians and IT. This is a very good thing.
TAGGED:HIPAA compliance
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

9 Lifestyle Tweaks That Can Add Years to Your Life
9 Healthcare Lifestyle Tweaks That can Add Years to Your Life
lifestyle
July 11, 2025
car accident lawsuit
Let Your Lawyer Handle the Work Before You Pay Medical Costs
Policy & Law
July 6, 2025
women dental care
What Is a Smile Makeover and How Much Does It Cost?
Dental health
June 30, 2025
HIPAA-Compliant Messaging Apps
Top HIPAA-Compliant Messaging Apps for Healthcare Teams
Global Healthcare Policy & Law Technology
June 25, 2025

You Might also Like

cybersecurity in healthcare
BusinesseHealthMedical RecordsPolicy & LawTechnology

Criminal Attacks on Healthcare Organizations Increase 100%

March 17, 2014

Will Information Technology Squeeze Physicians Out Of Their Central Role In Health Care?

July 11, 2012

Personalized Medicine: Reimbursement and Marketing Challenges

November 25, 2014

How to Use Youtube for Healthcare Marketing

April 11, 2014
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?