Clients frequently ask us questions like this.
Danny,
I have a quick question about our HIPAA compliance that we achieved back in early 2013. Since then we have released a couple of new software versions and we are wondering to what extent we need to perform another security and compliance assessment. Please let us know what sort of information you might require to evaluate whether or not a new HIPAA security rule assessment is required.
What about the upcoming changes in HIPAA in 2016?
Any software changes that increase the threat surface to attacks (new ports, new interfaces, new modules that use PHI) would be reason to take a look at your Security Rule compliance.Re HIPAA 2016 – OCR is still making plans but it is almost certain they will be doing audits. I believe that due to sheer size of the program – they will start with the biggest hospitals – I do not think that small medical device vendors will be on their radar – although the big guys that had serious adverse events will probably get audited (insulin pumps, implanted cardiac devices)
In general, if you are developing medical software that connects to the Internet or the mobile Internet – you should not wait 3 years between security assessments. Make secure software development methdology part of the way you develop software and audit once/year or on any major release.
Danny