
Ask HN: HIPAA Compliance? - dyeje
I recently took the helm on a startup project that deals with PHI. I&#x27;m researching alot trying to understand everything I need to do for compliance. Do you have any books, articles, training courses, consultants, services, etc that you recommend for understanding and implenting HIPAA compliance?
======
citrablue
Approach compliance like security -- it'll never be 100%. Except with HIPAA
compliance, your goal is both to prevent data leaks as well as document to
cover yourself legally.

Ignorance is no excuse, so it's important to take the recommended precautions.
I would suggest hiring a 3rd party auditor with some sort of certifications --
that'll be an important CYA.

In general, you want to have written protocols and documented auditing for the
following (plus some general concepts):

* Encrypt at rest, in transit

* Who has access? What is the policy for granting/revoking access? Is there an audit trail to see who accessed what, in the event of a breach?

* What data / systems are considered PHI/PII?

* How do you train employees about HIPAA?

Most of this is documenting processes and then showing that you review the
logs every 3/6/whatever timeframe.

A more complete list: [https://www.hipaajournal.com/what-is-a-hipaa-
violation/](https://www.hipaajournal.com/what-is-a-hipaa-violation/)

