Q&A: Streamlining security assessments for HIPAA compliance

Q: In the HIPAA compliance requirements, there are multiple sets of safeguards—technical, physical, administrative—and additional rules for transmission security, authentication controls, facility access questions, etc. This seems complex. We do in-depth HIPAA assessments for our clients, but some clients want a simple assessment that they can keep up with to maintain compliance. Any recommendations for streamlining assessment?

A: This question appears to be focused on the HIPAA Security Rule. Information security doesn’t need to be complex, and the HIPAA Security Rule was written to be flexible. If an entity is small, security compliance does not need to be overly onerous. The Office of the National Coordinator for Health Information Technology (ONC), with the support of OCR, created a simple online risk assessment tool that can be used by smaller entities to assess their security programs on an ongoing basis. However, if the smaller entity contracts with a managed services provider (MSP), some of the questions included in the ONC tool may need to be directed to the MSP vendor. The tool can be found here.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.