Chasing certifications won’t prevent data breaches

In the electronics industry, the UL stamp of approval means that a product has been deemed safe. But in the healthcare field, there isn’t a single certification that ensures that Protected Health Information is safe – or that risks are being properly managed.

Even if such a silver bullet existed, a certification cannot guarantee that your organization will never suffer a data breach, complaint or penalty from the Office for Civil Rights (OCR).

Any healthcare organization that places its trust solely in the payment card industry standard (PCI-DSS), HITRUST or Service Organization Controls 2 (SOC 2) is on shaky ground. That’s because the OCR has never accepted SOC 2 “opinions”, PCI-DSS audits or HITRUST “certifications” as evidence of compliance with HIPAA regulations. If submitted in response to an investigation or audit, such documentation would be immediately rejected.

Here’s why these three approaches fall far short of meeting HIPAA requirements:

To continue reading this article…

Start your monthly or annual subscription to HIT Leaders & News today!

A monthly Standard subscription to all our regular news articles costs only $12.00 per month, or $144.00 for an annual Standard subscription.

Already a subscriber? Log in


certification, Clearwater Compliance, cybersecurity, data breach, Federal Trade Commission, FTC, HIPAA, HITRUST, OCR, Office for Civil Rights, Payment Card Industry Data Security Standard, PCI-DSS, Service Organization Controls 2, SOC 2


Please follow and ‘Like’ us


©2021 HIT Leaders and News, a GO Digital Media publication. All rights reserved.