Get started by establishing whether or not your organization is a covered entity. Once PHI is identified within an organization’s software or systems, a review of the covered entity’s security policies and procedures is the next step to identify gaps and implement controls.
The Health Information Trust Alliance (HITRUST) offers a common security framework (CSF) to help organizations implement HIPAA-required controls necessary for compliance. The HITRUST CSF allows for self-assessment to implement appropriate controls. However, some organizations may require a validated assessment that is performed by a HITRUST assessor. This assessment must then be submitted to the HITRUST organization for review and approval. Failure to achieve a HITRUST certification may prevent certain HIPAA-regulated organizations from receiving PHI from organizations requiring HITRUST compliance in their documented security requirements for third parties.
If a violation is reported to the OCR, your organization must be responsive to requests for evidence of HIPAA-required controls. Perform external reviews of your security program and implement technical assessments to demonstrate adherence.
Implement at least the minimum required testing and controls defined by HIPAA. Risks to PHI and the covered entity extend beyond checking a compliance box. As threats to privacy and security evolve and expand, expectations for implementing reasonable controls required by HIPAA will also continue to expand. The easiest way to handle evolving expectations is to be one step ahead.