Lack of compliance with HIPAA security rules is common in municipal government. May I see your comprehensive security policy please? Huh? What’s that? Lack of compliance with the HIPAA security standards is common in county and municipal government agencies even though many of these organizations have covered entities (CE) under their umbrellas. For some reason, almost everyone got the memo on required compliance with HIPAA privacy rules in 2003, but many organizations missed the subsequent memo on required compliance with security rules by April of 2005. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Nearly 14 years have passed since the security rule was published, and I have no explanation for the compliance lacuna that exists today. If you are an executive, manager or provide IT services for a CE, your security policy should be as well-worn as your kids’ Harry Potter books. If someone (i.e. an auditor) asks about your compliance program, you should be able to succinctly summarize it and immediately provide documentation of your compliance activities. If this doesn’t describe your organization, you are not alone and there is no time like to present to begin the process. Compliance isn’t a one-time, passive event and there are routine steps you must take ensure the CIA (confidentiality, integrity and availability) of your clients’ protected health information (PHI). Denial and disbelief Denial and disbelief are the first two stumbling blocks I encounter when informing managers in government agencies that they are not in compliance with HIPAA. Sickening yellow clouds of realization dawn over a period of several weeks while I continue to email copies of the Code of Federal Regulations (CFR) to the relevant parties. The attorney is generally the first to comprehend the magnitude of the situation. Holistic information security I talk about security policies rather than HIPAA policies. Something that is also common in municipal government is a lack of information security policies based on some generally accepted standard or framework for information security. You can and should address HIPAA security requirements and your overarching organizational information security requirements together. Form a governance committee Developing your security policy isn’t an IT project; it is part of an Information Governance program. A cross-functional team including representation from several organizational entities must be part of the process for developing your information security policies. Here are the roles I generally request to be part of the policy development team: 1. Executive owner 2. Legal 3. HR 4. Information technology 5. Line of business units 6. Records management 7. Risk management, privacy and information security officer roles (Many municipal governments do not employ these functional roles, but they will once they have developed their policy). Read the regulations! I am a big believer in always working from primary sources. I encourage you to embark upon your HIPAA journey by reading the full text of the regulations. In the table below, I have hyperlinked them for your convenience. When I write policies for clients, I work directly from the regulation with their policy or governance committee so that everyone understands the process and the final result. Even so, clients will often argue about something that is projected on the wall right in front of them. I link every client policy to the corresponding HIPAA requirement. Primary sources for compliance – educate yourself Compliance Matrix In a previous article on the subject, I provided a sample, high-level compliance matrix for a security policy aligned with HIPAA. Caveat emptor Vendors often market products as being “HIPAA compliant.” If you have read the regulations above, you now know that there is no such thing. The HIPAA security rule is technology-neutral, and any reference to compliance would be to your organization’s policy rather than to the rule itself. Get to work! If you are now nauseous because you realize that you are not even remotely in compliance, that’s a good thing. Use that feeling to quickly get to work to protect your organizational information assets. Related content opinion Board and management responsibilities for information security Only 37% of corporate directors are confident with their organizationsu2019 cyber security plans. What responsibilities do corporate and public-sector boards have for oversight of cyber and information security and what resources are available for th By Jeffrey Morgan Feb 09, 2018 5 mins IT Governance Data and Information Security IT Leadership opinion Information governance in the federal government Inexcusable mismanagement of classified data, secret e-mail accounts and wanton destruction of public information demonstrate that there isnu2019t any information governance happening in the federal government. By Jeffrey Morgan Feb 02, 2018 5 mins Government IT Government Technology Industry opinion Digital transformation in the public sector Letu2019s rename it management transformation. By Jeffrey Morgan Jan 11, 2018 6 mins Government Digital Transformation IT Leadership opinion Keep your dirty, stinkin’ hands off my Internet A reading list on net neutrality. By Jeffrey Morgan Jan 02, 2018 5 mins Regulation Government Technology Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe