Of the 180 HIPAA audit requirements, the most enforced requirement, cited in more than 50% of the recent HIPAA financial penalties, is the lack of an accurate and thorough risk analysis. Questionnaire-based self-assessments do not adequately address HIPAA’s requirement for an accurate and thorough Security Risk Analysis (SRA). You can’t cover up an inadequate compliance process with a phony seal saying your compliance has been validated. And, focusing just on HIPAA is a mistake. Finally, your organization is unique and a canned self-assessed solution won't give you the accurate and thorough results you need.

How do I know? Because I have conducted hundreds of audits where clients have assessed themselves and none – not one – zero - has accurately and thoroughly identified their risks. The simple reason is they completed a questionnaire either based on what they believed, or what they thought should be the right answer, without having the tools or expertise to validate their answers.

The only way to get an accurate and thorough Security Risk Analysis is with ‘under-the-skin’ network scan, conducted by someone with technical competence and an understanding of HIPAA.

A ‘HIPAA-Made-Easy’ tool is a one-trick pony that doesn’t adequately address all your compliance requirements. No one must comply with just HIPAA. You must also comply with your state data breach law, PCI DSS if you take credit cards, your cyber liability insurance policy, and any contracts you’ve signed that contain cyber security and compliance requirements. Implementing the NIST Cybersecurity Framework (CSF) and auditing yourself against it will comply with almost all your requirements.

When we work with our clients we take the time to identify all of their compliance requirements. That often takes some effort on their part to look at their contracts and find their cyber insurance policy.

Every one of our assessments includes an under-the-skin network scan that accurately identifies:

  • Where data is stored (you can’t protect it if you don’t know where it all is)
  • What devices are encrypted (shocking to so many who believe their policies are being followed)
  • If security patches and anti-virus are installed as required (99% aren’t)
  • What users have access, including the dangerous highest-level administrator access to their networks, and password expiration dates (everyone is surprised)
  • What usernames and passwords are for sale on the Dark Web (the criminal side of the Internet

Failure to identify this level of detail will not give you the required accurate and thorough Security Risk Analysis,

Covering up the most enforced HIPAA requirement with a phony seal that says you are compliant is like tattooing “I’m Healthy” on your forehead without getting any under-the-skin medical tests to see if you really are. Worse, based on legal advice I received that warned me against offering seals of compliance, a seal may give you and everyone you serve a false sense of compliance that may create serious legal liabilities.

Having been involved in HIPAA since the Privacy Rule came out in 2003, I have hands-on experience building a compliance program for the hospital where I was the Chief Information Officer, and as a consultant that has helped hundreds of healthcare clients and business associates implement compliance in a meaningful way. I’m also the best-selling author of How to Avoid HIPAA Headaches, have spoken at the National HIPAA Summit, and I’ve consulted with many companies in both the healthcare and IT industries.

Personally, I get frustrated by companies that turn HIPAA into a marketing exercise with fake claims and incomplete solutions.

From vendor websites:

Saying there are six HIPAA audits required by the HHS (U.S. Department of Health and Human Services) is not true. There is a single HIPAA audit protocol with 3 audits based on the HIPAA Privacy, Security, and Breach Notification Rules. Look it up for yourself at the government’s website - https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html.

When you go there you won’t find an HHS-required HITECH Subtitle D Privacy Audit. It’s a made-up requirement.

An accurate and thorough Security Risk Analysis is like a complete physical exam that includes under-the-skin blood tests and MRI's. To properly identify the vulnerabilities and threats that affect the security of electronic Protected Health Information (ePHI) you cannot just answer a few self-assessment questions in 10 - 15 minutes. (Or an hour.) You need a network scan with the results analyzed by someone familiar with both cybersecurity and HIPAA. Just like how a trained and experienced doctor reviews blood tests and medical images to give you an accurate and thorough diagnosis.

Your organization is unique, which is why you don't want a canned solution, like one that tells you your risk analysis report will be 23 pages before you start.

HIPAA Business Associate Agreements do not need to be signed and executed each year. Another made-up requirement. Since they were introduced in 2003 with the HIPAA Privacy Rule, Business Associate Agreements only have had to be updated once, in 2013, when the HIPAA Omnibus Final Rule made changes to Business Associate requirements. Unless there are major changes to HIPAA, there won’t be a need to update your agreements.

Don't fall for a solution that claims it can "make you compliant." While you can get assistance from a vendor, you must make yourself compliant. and consistently stay there.

Beware of offering a seal, reselling a service that provides a seal, or using a seal, because there are 180 HIPAA audit protocol requirements that would each require 100% compliance – 7 days a week, 24 hours a day – for the seal to be accurate. How can compliance be validated by simply asking you questions? Comparing this to healthcare, that is the equivalent of you saying you are healthy, and never getting sick, gaining a few pounds, or, invisibly, having your cholesterol or blood sugar exceed a safe number, or, worse, having a tumor start to grow on a critical organ. Like healthcare, the only way to identify and prevent compliance issues is to regularly get an under-the-skin checkup.

A Seal of Compliance is a high risk you should avoid. When I saw seals of compliance being offered by ‘HIPAA Made Easy’ vendors, I consulted with my attorney and talked with an attorney at the Federal Trade Commission. My attorney warned me against offering a seal because compliance is a moving target – a journey, not a destination – and that I would incur liability if I ‘certified’ compliance with a seal, no matter what fine print I created saying the seal wasn’t really meaningful.

But it was the Federal Trade Commission attorney who really scared me. She said that if I offered a seal of compliance, and worked with partners who resold our services, that if a medical client or Business Associate that displayed the seal failed an audit or investigation, they could be charged by the FTC or a state attorney general with unfair business practices, false advertising, and consumer fraud.

When I shared this with my attorney, he said that both I and my reseller partners could be subject to liability claims for certifying or validating someone’s compliance when they weren’t. He said the liability disclaimed in any fine print saying the seal really didn’t mean anything would likely not stand up to the scrutiny of the big letters on the seal saying the entity was compliant.

Doing HIPAA correctly doesn’t require gimmicks and fake requirements. It simply requires the right technical and compliance tools, created by recognized experts, and used by experienced professionals. Don’t let slick marketing get in the way of complying with HIPAA’s most enforced requirement – an accurate and thorough Security Risk Analysis.