[Companies] need to take a risk-based approach to HIPAA compliance that takes into account their individual circumstances and resources, he said. "Tailor the HIPAA security rule to your organization so you don't break the bank… It comes down to being able to prove you've taken due diligence," he said, adding that documenting the reasons why a HIPAA provision can't be implemented usually is sufficient for auditing purposes.Whenever I hear from experts on industry regulations, it sounds as if compliance is more of an art than a science. I find that very interesting. When we think of an audit, we tend to think of accountants reconciling numbers in a ledger. ...and everything needs to match up. But in IT security, that conceptualization doesn't ring true. So, be careful about searching for the perfect compliance checklist. And be careful about consultants who have a proven formula. This is an iterative process that requires corporate lifestyle changes. Toward the end of the article, there's also a nice example of how identity management solutions can be an enabler for compliance.
Monday, August 27
Compliance: More of an Art than a Science
I just read an article titled Perfect HIPAA security impossible, experts say. It covers a few healthcare companies' different approaches to HIPAA compliance. The main premise is summarized by Barry Runyon of Gartner: