May I see your comprehensive security policy please? \n\n\nHuh? What\u2019s that? \n\n\nLack of compliance with the HIPAA security standards is common in county and municipal government agencies even though many of these organizations have covered entities (CE) under their umbrellas. For some reason, almost everyone got the memo on required compliance with HIPAA privacy rules in 2003, but many organizations missed the subsequent memo on required compliance with security rules by April of 2005.\n\n\nNearly 14 years have passed since the security rule was published, and I have no explanation for the compliance lacuna that exists today. If you are an executive, manager or provide IT services for a CE, your security policy should be as well-worn as your kids\u2019 Harry Potter books.\n\n\nIf someone (i.e. an auditor) asks about your compliance program, you should be able to succinctly summarize it and immediately provide documentation of your compliance activities. If this doesn\u2019t describe your organization, you are not alone and there is no time like to present to begin the process.\n\n\nCompliance isn\u2019t a one-time, passive event and there are routine steps you must take ensure the CIA (confidentiality, integrity and availability) of your clients\u2019 protected health information (PHI).\n\n\nDenial and disbelief\n\nDenial and disbelief are the first two stumbling blocks I encounter when informing managers in government agencies that they are not in compliance with HIPAA. Sickening yellow clouds of realization dawn over a period of several weeks while I continue to email copies of the Code of Federal Regulations (CFR) to the relevant parties. The attorney is generally the first to comprehend the magnitude of the situation.\n\nHolistic information security\n\nI talk about security policies rather than HIPAA policies. Something that is also common in municipal government is a lack of information security policies based on some generally accepted standard or framework for information security. You can and should address HIPAA security requirements and your overarching organizational information security requirements together.\n\nForm a governance committee\n\nDeveloping your security policy isn\u2019t an IT project; it is part of an Information Governance program. A cross-functional team including representation from several organizational entities must be part of the process for developing your information security policies. Here are the roles I generally request to be part of the policy development team:\n\n\n1. Executive owner\n\n\n2.\u00a0Legal\n\n\n3.\u00a0HR\n\n\n4.\u00a0Information technology\n\n\n5.\u00a0Line of business units\n\n\n6.\u00a0Records management\n\n\n7.\u00a0Risk management, privacy and information security officer roles (Many municipal governments do not employ these functional roles, but they will once they have developed their policy).\n\nRead the regulations!\n\nI am a big believer in always working from primary sources. I encourage you to embark upon your HIPAA journey by reading the full text of the regulations. In the table below, I have hyperlinked them for your convenience. When I write policies for clients, I work directly from the regulation with their policy or governance committee so that everyone understands the process and the final result. Even so, clients will often argue about something that is projected on the wall right in front of them. I link every client policy to the corresponding HIPAA requirement.\n\nPrimary sources for compliance \u2013 educate yourself\n\nA list of resources for HIPAA security and privacy compliance.\n\nHIPAA Compliance\u00a0\u00a0\n\n\n\nHIPAA Privacy Rule\n45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information.\nFinal Rule \u2013 December 28, 2000\n\n\nHIPAA Security Rule\n45 CFR Parts 160, 162, 164.\nFinal Rule - February 2003\n\n\nHIPAA Combined Regulation Text\nHIPAA Administrative Simplification.\nUnofficial version amended through March 2013 combining the privacy and security rules.\n\n\nHITECH Act Enforcement\nHITECH Act interim final rule includes penalties for non-compliance.\nOctober 30, 2009\n\n\nNIST Special Publication 800-53\nSecurity and Privacy Controls for Federal Information Systems and Organizations\nRevision 4, April 2013\n\n\nPrivacy Rule Resources\nHHS.GOV resources\n\u00a0\n\n\nGuide to Privacy and Security of Electronic Health Information\nOffice of National Coordinator for Health Information Technology\nVersion 2.0 April 2015\n\n\nNIST HIPAA Security Rule Toolkit\nDownloads and tools from NIST for assessment, etc.\n\u00a0\n\n\nNIST Special Publication 800-66\nAn Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule\nOctober 2008\n\n\nSecurity Risk Assessment Tool\nHealthIT.Gov\nExecutable tool \u2013 paper copy available too.\n\n\n\n\nCompliance Matrix\n\nIn a previous article on the subject, I provided a sample, high-level compliance matrix for a security policy aligned with HIPAA.\n\nCaveat emptor\n\nVendors often market products as being \u201cHIPAA compliant.\u201d If you have read the regulations above, you now know that there is no such thing. The HIPAA security rule is technology-neutral, and any reference to compliance would be to your organization\u2019s policy rather than to the rule itself.\n\nGet to work!\n\nIf you are now nauseous because you realize that you are not even remotely in compliance, that\u2019s a good thing. Use that feeling to quickly get to work to protect your organizational information assets.