Beware of Cure-Alls for HIPAA Compliance

By eweek  |  Posted 2001-03-26

I always find it amusing when a new issue rises on the it horizon, and suddenly dozens of vendors rush forward to tout their product as "the solution." Often, they are hawking their existing wares but putting a new spin on them to gain a presence in a new market segment. Now, I dont want to imply that all of these vendors are modern snake oil salesmen.

Often, the products being pitched are important parts of the solution. However, beware the illusion that such products solve the entire problem.

A recent eWeek article ("Meeting a mandate for patient privacy," Jan. 1/8) showed me that the latest target for these slick hucksters is the medical profession. The recently released security guidelines for the Health Insurance Portability and Accountability Act have attracted numerous companies that will assure regulatory compliance if "you just buy our product." But what unique medical capabilities do these products provide? None. Look at the underlying technologies: encryption, Lightweight Directory Access Protocol, firewalls and virtual private networks. This is hardly a list of innovative techniques. The only thing separating them from other security vendors is "HIPAA" in the marketing literature.

What should you do if the specter of compliance with HIPAA or another mandated security standard is lurking around your business? First, you need to go beyond simply implementing a security product. HIPAA compliance requires the cooperation of many departments, including legal, IT, finance, audit and security.

Next, identify what steps each department needs to take to work toward compliance. It will take project management skills to coordinate these diverse efforts.

The last step is to examine existing technologies and processes to identify compliance gaps. At this point, technology can be chosen that will help you achieve compliance.

By taking these steps, you will save money in the long run by avoiding the implementation of unnecessary systems.

Beware snake oil salesmen. Anyone who says that their "product will make you HIPAA-compliant" is selling false hope. Compliance is not sold in a bottle.

Rocket Fuel