Monday, August 27

Compliance: More of an Art than a Science

I just read an article titled Perfect HIPAA security impossible, experts say. It covers a few healthcare companies' different approaches to HIPAA compliance. The main premise is summarized by Barry Runyon of Gartner:
[Companies] need to take a risk-based approach to HIPAA compliance that takes into account their individual circumstances and resources, he said. "Tailor the HIPAA security rule to your organization so you don't break the bank… It comes down to being able to prove you've taken due diligence," he said, adding that documenting the reasons why a HIPAA provision can't be implemented usually is sufficient for auditing purposes.
Whenever I hear from experts on industry regulations, it sounds as if compliance is more of an art than a science. I find that very interesting. When we think of an audit, we tend to think of accountants reconciling numbers in a ledger. ...and everything needs to match up. But in IT security, that conceptualization doesn't ring true. So, be careful about searching for the perfect compliance checklist. And be careful about consultants who have a proven formula. This is an iterative process that requires corporate lifestyle changes. Toward the end of the article, there's also a nice example of how identity management solutions can be an enabler for compliance.

1 comment:

Anonymous said...

Very recently I came across a very interesting webcast event that is going to be held on December 11, 2007 9 am PT/12 pm ET on subject “How Information Governance and Compliance Pay”. I think this webcast could be useful for your website visitors.
This webcast is based on recent research conducted by the IT Policy Compliance Group, focuses on fact-based insight into how improving information governance, risk and compliance, reduces costs, financial risk and the loss of sensitive data.
You website visitor who are interested in this webcast can learn about the steps should be taking to:
• Reduce labor costs
• Mitigate and avoid significant financial risk and loss
• Improve information governance results
• Improve regulatory compliance results
More information about this webcast is available at