This article first appeared on mHealthNews on February 19, 2014. Click here to see the original version.


One of the most common questions I am asked by customers is: “How long will it take us to become HIPAA compliant?” Many businesses see this as their ultimate goal, and so – understandably – they want a timeframe and budget to get there. And they are always disappointed by my answer, which is typically “You may never get there.”

The answer may sound flippant, but the point is that compliance is a journey and not a destination. This is particularly true when the objective is to be compliant with a regulation such as HIPAA, which has no clearly defined endpoint.

This might seem confusing given the countless claims made today in the healthcare marketplace offering “HIPAA compliant data solutions.” Isn’t HIPAA compliance what customers and patients are demanding and the government is assuring us that their regulations provide?

In reality, it’s difficult to ascertain what constitutes compliance for a regulation such as HIPAA because for the most part it is broadly defined, allowing for a great deal of interpretation. A good example of this is training. CFR 164.308(a)(5) says that a company must “Implement a security awareness and training program for all members of its workforce.” It sets no standard for the training beyond that it should be provided “as necessary and appropriate.” So how does an organization know whether it has satisfied this requirement? What standards are used to measure compliance?

Looking deeper, it’s useful to understand the difference between standards and regulations. The International Standards Organization (ISO) defines a standard as a set of “common and repeated uses, rules, guidelines or characteristics” that are “established by consensus and approved by a recognized body.” Whereas regulations are a set of “binding legislative rules … adopted by an authority.” So standards are measurable and regulations are enforced. For example, QWERTY is a standard for keyboards, and you can judge quite easily if a keyboard meets that standard. But regulations are legislative, and like the HIPAA training requirement are open to much greater interpretation.

In some places HIPAA does cite standards for compliance. For example, within the requirements for encryption HIPAA offers NIST’s encryption standards as an example of what would be deemed acceptable. But since the NIST standard itself has five different levels of encryption, which one should be used? And since it cites the NIST standard as only one example of a standard that would be deemed to be compliant, that doesn’t rule out the possibility of other, less stringent standards being potentially acceptable. This can be confusing to many SMB’s who are federally required to be compliant and risk hefty fines if they aren’t.

However, covered entities and business associates should not give up on their quest to be compliant. In my view, their solution is to adopt an information security and privacy framework based upon a definable set of security standards such as ISO 27001, which can also be audited against these standards by an accredited body. While this may not cover satisfy every HIPAA regulation, it’s better to add a few subjective requirements to an established and measurable framework than to have the entire framework be subjective. It also has the added bonus of extending this framework to all your sensitive data and not just electronic protected health information (ePHI).

Chasing HIPAA compliance alone is like a dog chasing its tail. It’s a lot of activity for minimal reward – and it may even make your organization less secure. In a recent article titled “Why mere compliance increases risk,” John Schroeter and Tom Pendergast argue that “a check-the-box approach to compliance” may actually leave your organization less secure and possibly not even compliant. They then outline four areas where such an approach may “be putting your organization – and your customers – in serious jeopardy.”

Better then to focus on developing and maintaining a robust and measurable information security framework that can be augmented to support your HIPAA requirements.

This is a journey worth taking, for while you may never be able to say with absolute certainty you are HIPAA compliant, you can at least demonstrate you are in the correct vicinity.

Grant Elliott is the founder and CEO of Ostendio, a Washington, .D.C-based information security compliance company. Prior to founding Otsendio, he was the chief operations officer and chief information security officer at Voxiva, responsible for building the Text4baby and Text2quit mobile solutions. He also worked for AT&T, Concert Communications and British Telecom.