HIPAA is not vague – it’s proscriptive.

It’s like a POLICY statement – what we will do, what we won’t do, what we promise.

It does NOT tell you HOW to do things because HIPAA/OCR/HHS didn’t want to reinvent the wheel.

I assume you’ve read the HIPAA standards in full?  PCI standards in full?

HIPAA is a great conversation starter and is designed to be understood by Doctors, Nurses, Orderlies – people with HIGH SCHOOL education and up.

If you want to know HOW to do evaluate security- look at NIST-800 or PCI standards.

If you want to know HOW to build a compliance framework – look at ISO27001 or COBIT

There’s lots of room for disagreements on the standard, and many, many approaches – some right, some wrong.  That’s where the HIPAA corrective actions and updates come into play.

We expect doctors to cut open chests, proscribe the right drugs and hold them personally liable for making mistakes.

The SAME standard is being expected of us, as providers and BAAs.

And just as every human being is NOT qualified to be a doctor or practice medicine, not every IT consultant or MSP is qualified to practice Healthcare IT.

HIPAA is leading the charge towards the professionalization of IT – it requires us to play on the same, level field as our clients.

Understanding and implementing HIPAA is equivalent to getting a PhD in information security, privacy and nuances of healthcare.

That’s one of the key reasons why I became (and remain) a CISSP.  It taught me (and still teaches me, daily) about MANAGING RISK.  Security is a trade off between your threats, likelihood of attacks, your resources vs the attackers, and the impact on the business.

Any trained (and many untrained) person can configure firewalls, routers, widgets.

But not anyone can conduct an audit or assessment (yes, there’s a difference between those words…interchange them at your own risk!), evaluate risks, and then COMMUNICATE them effectively to management, staff, board members, janitors and everyone in between.

For Example:

What’s the difference between a bookkeeper and a CPA?


The only difference between a bookkeeper and a CPA is cost & liability.  A bookkeeper can give the same advice as a CPA (lots of great bookkeepers are retired CPAs).  Just as any tech can give security “advice”.  The difference is that if your bookkeeper says “you can claim this as an expense” and IRS disagrees, the liability is 100% on you.  On the other hand, if your CPA says “you can claim this as an expense” and attests to that in the forms, and the IRS disagrees, then your CPA is on the hook for the penalties.


Eventually, I predict that IT will become more like medicine, law or engineering.  Professional certification (NOT vendor certs), licensing bodies, personal liabilities for failure, professional rules of conduct, etc.


I also expect that other industries (finance, insurance, engineering, etc) will also demand BAA-like compliance from their IT vendors.

Learn from HIPAA & PCI now – they are the blueprints to the future of our chosen profession.

Learn more from Raj Goel, CISSP at www.RajGoel.com and the Datto Partner’s Conference.