Security regulation that doesn't suck.
(Thoughts are my own, not my employer's.)
Some positive thoughts on HIPAA, having been doing this health-related startup security thing for just over 2 years now:
-
It drives risk-based decision making. ยง 164.308(a)(1)(ii)(A) requires a covered entity to regularly "[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information".
-
It is relatively non-prescriptive regarding implementation specifics, but has an accessible set of guidance provided by HHS - see https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
-
It doesn't stop a covered entity from using modern technology. It's possible to be all in on AWS, as their HIPAA game is strong (https://aws.amazon.com/health/healthcare-compliance/hipaa/).
-
It is enforced! https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement-highlights/index.html
Sure, it has some pain points, but things are not all terrible in HIPAA land.