Hipaa Hitech Policy: Fill & Download for Free

Short answerHIPAA and HITECH compliance is a bit like Schrödinger Kitty Box: You won't know whether you're compliant until you're audited. (See below for my shameless plug!)Long answerEchoing what others have said, there is no such thing as HIPAA certification for business entities.AFAIK, neither HIPAA nor HITECH specify certification procedures or empower other federal agencies, NGOs, industry groups, or any other entity to examine and certify business entities as being HIPAA/HITECH compliant.So basically, you take your best shot at it and hope you covered all the bases.Serious though, how, you ask?There are plenty of consultants offering their services to help business entities achieve HIPAA/HITECH compliance. They can be very expensive. I've heard of some who offer to certify business entities as being HIPAA/HITECH compliant, and I'd run away from them as fast as I could. They all, IMHO, reinvent the same damn wheel over an over again, and I'd like to make them a thing of the past as far as startups are concerned.No really, how, you ask again??Choose a cloud/hosting provider that pays attention to compliance issues. There are plenty of components you can use to build a computing and operating environment that is likely HIPAA/HITECH compliant. Cloud and hosting providers typically advertise the audits and tests they go through, resulting is specific certifications. Those address some of the physical security, logical security, data backup, data availability, data disposal, and penetration testing requirements of HIPAA/HITECH. Downside: Hosts like this charge a hefty premium - unwarranted, I think - for HIPAA/HITECH compliant-ish services. Starting at $495 a month, IIRC.You can employ people with vendor-neutral certifications like CDMP, DGSP, CISSP, CISM, CIDM, etc., that pertain to security, data management, data governance, and other topics that have HIPAA/HITECH analogs. These people are expensive, but if you hire one who has served as a compliance or security officer with specific HIPAA/HITECH experience then you're part way to your goal. Downside: They may come from organizations that had to retrofit existing systems to be compliant and thus may see compliance as being far more complex than it really is.Hire HIPAA/HITECH consultants to review your efforts, identify gaps, and specify remediation. I have no experience engaging these folks - all my HIPAA experience was internal at a large enough company to dedicate several people to the effort. Downside: Expensive. Unsure if there is a self-policing industry body to weed out the ineffective ones.Finally, run your HIPAA/HITECH compliance efforts past your lawyers? Maybe. Of questionable value IMHO. In my experience they just muck things up, foresee problems where there are none, add months to the process, demand to review every tiny policy adjustments, and generally don't have the first clue about HIPAA/HITECH issues. If you can find lawyers who understand HIPAA/HITECH issues then go for it. Good luck with that.Shameless Plug!So, again...HIPAA/HITECH compliance: how, you ask, close to losing patience?That's where my startup, HIPAAStack, comes in. HIPAAStack is a cloud-based, open source "compliance-in-a-box" solution, designed to get Health 2.0 startups and mobile developers to compliance in days rather than months. HIPAAStack contains all the training resources and policy templates to train employees and establish administrative roles and procedures, plus a database backend and development framework with built-in Role Based Access Control, encryption, and auditing. The cloud portion will be available as a marketplace add-on and work with major SQL and NoSQL databases and development languages.So...there's that. I'd love to hear from Health 2.0/digital health startups and mHealth app developers about your compliance experiences, needs, and desire to be alpha customers.Thanks!

Hospitals, Covered Entities, and Business Associates should do a thorough risk assessment. They should identify areas of concern or non-compliance, and take appropriate and reasonable steps to correct any problems. They should maintain a complete set of policies and procedures that enforce compliance within the organization. They should maintain a document library of required information, and evidence that they are following policies / procedures, and the prescribed standards / implementations of HIPAA / HITECH laws..It is not a trivial undertaking, however it is important to do these things in order to both remain in compliance, and be ready if the organization is audited.The OCR will send a document request list with the audit notification. The organization has two weeks to respond. It is far better to be prepared ahead of time.Compliance is not a one time thing, it is an ongoing process. A serious HIPAA / HITECH privacy and security review from time to time is highly advisable.

Agree with previous answers and background provided.I thought it would be helpful to add a real-world example: An organization I’ve worked with uses 99% MacOS and iOS devices in all 15 of its healthcare clinics. This organization has also attained HITRUST[1] accreditation.Previous posters are 100% correct there is not a governing body that “stamps HIPAA approved” on organizations. HITRUST accreditation requires annual audits of policies and procedures. At least this should provide some proof that using MacOS/iOS would not preclude an organization from compliance with HIPAA regulations.===[1] HITRUST, a security framework, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT, Joint Commission, and (USA) state laws.