Chasing certifications won’t prevent data breaches
In the electronics industry, the UL stamp of approval means that a product has been deemed safe. But in the healthcare field, there isn’t a single certification that ensures that Protected Health Information is safe – or that risks are being properly managed.
Even if such a silver bullet existed, a certification cannot guarantee that your organization will never suffer a data breach, complaint or penalty from the Office for Civil Rights (OCR).
Any healthcare organization that places its trust solely in the payment card industry standard (PCI-DSS), HITRUST or Service Organization Controls 2 (SOC 2) is on shaky ground. That’s because the OCR has never accepted SOC 2 “opinions”, PCI-DSS audits or HITRUST “certifications” as evidence of compliance with HIPAA regulations. If submitted in response to an investigation or audit, such documentation would be immediately rejected.
Here’s why these three approaches fall far short of meeting HIPAA requirements:
certification, Clearwater Compliance, cybersecurity, data breach, Federal Trade Commission, FTC, HIPAA, HITRUST, OCR, Office for Civil Rights, Payment Card Industry Data Security Standard, PCI-DSS, Service Organization Controls 2, SOC 2