- “HIPAA compliance” remains a polarizing term that can be interpreted in many different ways. Last week, HealthITSecurity.com weighed the way vendors make HIPAA compliant claims versus organizations themselves becoming compliant based on explicit benchmarks with Joseph Lorenzo Hall, Center for Democracy and Technology (CDT) Senior Staff Technologist. A few LinkedIn members commented on the article in the “All Things HITECH” subgroup and offered their understanding of the subject of meeting HIPAA standards.
John Hughes of eDocSecure, Inc.:
As a reminder products cannot be HIPAA compliant- only organizations. Why vendors still continue to promote products as HIPAA compliant amazes me!
Mac McMillan of CynergisTek, Inc.:
You are absolutely correct. What some may be trying to say, and what would be nice for all to have to say, is that their product includes all of the necessary functionality needed for it to perform in a compliant manner once the customer acquires and puts it into service.
It would be nice if the buyer could receive some assurance that the technology they are acquiring was developed using industry standards, that it minimally was built on a supported operating system, was patchable, could support A/V protection and included the necessary functionality required to meet other HIPAA requirements as appropriate.
Wouldn’t that be something? Not a claim that we are HIPAA compliant, but a claim that our product or service is built to support compliance.
Donna Grindle, CHPSE, President and Senior Consultant at Kardon Technology, LLC:
As part of our process we have our clients send a due diligence questionnaire to BAs. We tell them it isn’t important to give perfect answers just reasonable ones to show they are trying to understand and meet their obligations.
The amount of push back and wild answers we see on the responses is amazing. It ranges from “We don’t have to answer this because we aren’t even a BA” to “Yes, we are HIPAA compliant and don’t need to tell you anything further”.
Frequently, we hear they only use “HIPAA compliant” products to make them compliant. Or, my favorite, is a simple response that they are a Certified HIPAA Compliant organization. (You are not allowed to ask “certified by whom”, though, without a great deal of push back). Some of the worst of these type responses have been from technology service and software companies.
We find it refreshing when we get honest answers that show they are trying to understand and meet their obligations as best as they can. Which, of course, is the stated point of the questions in the first place. None of these responses have been from technology service or software companies, though.
It’s always interesting to hear the varying healthcare industry perspectives on HIPAA compliance and these comments were no different. More guidance on the topic is a must and hopefully the Department of Health and Human Services (HHS) takes note and better regulates the way vendors describe their products. Instead of being HIPAA compliant, a product can help provide healthcare organizations the opportunity to become compliant.