Comply With HIPAA To Comply With The Joint Commission

Briefings on HIPAA, July 27, 2007
When it seems impossible to get your organization to constantly comply with various rules and regulations, find comfort in the fact that taking HIPAA compliance seriously should help you meet The Joint Commission's standards for privacy and security as well. Luckily, the two standards are pretty consistent, with HIPAA being by far more detailed. But there are a few specifics of which you should be aware when trying to meet both standards.

It doesn't make sense to stress out over complying with both sets of requirements, says Kate Borten, a Marblehead, MA-based HIPAA privacy and security consultant. Both Joint Commission requirements and HIPAA requirements match up well. If you focus on complying with HIPAA, you're practically complying with The Joint Commission requirements by default. "I certainly see nothing that's contradictory. The Joint Commission is essentially reinforcing HIPAA," Borten says. "I would say that organizations should be looking to meet the HIPAA privacy and security rules, and if they do, The Joint Commission requirements should really be a cake walk."

That's in large part because The Joint Commission requirements are broad and sweeping and don't go into the level of detail that the privacy and security rules provide. It's also because The Joint Commission updated its information management standards to be consistent with HIPAA.

Differences in the rules
One difference between the two sets of standards is that HIPAA requires only a disaster recovery plan but not a business continuity plan, says Borten. So The Joint Commission does go a step further in this case. "We've known for a long time that we need both [disaster recovery plans and business continuity plans]," says Borten. "So it makes perfect sense."

Another privacy/security matter that The Joint Com-mission stresses more than HIPAA is the need for ongoing monitoring-of internal policies, procedures, and compliance, as well as external factors such as developments in technology. The security rule also requires monitoring in the form of ongoing reviews and updated risk analyses, but The Joint Commission standards seem to emphasize it more.

"The privacy and security rules use slightly different language that doesn't quite hammer you on the head as much as The Joint Commission," says Borten. "It makes me wonder if The Joint Commission doesn't understand the industry better. I'm really glad that they do that."

Covered entities should also take note of The Joint Commission's language regarding the need to monitor technology and other information to improve privacy and security, says Frank Miller, healthcare attorney at Baker Hostetler, LLC, in Columbus, OH. What this amounts to is a requirement to keep up with industry standards in protecting privacy and security. Because HIPAA allows covered entities a great deal of flexibility in determining what's reasonable for them given their size and budget, this could mean that, in some cases, The Joint Commission's standards might be more stringent.

"You have to keep up with the Joneses to meet [The Joint Commission's requirements]," says Miller. "So, for example, encryption is not required by HIPAA, but it is industry standard. So [The Joint Commission] may be more stringent there." The difficulty is that the definition of an industry standard is open to interpretation. A large hospital with a significant budget is going to have a different standard than a smaller facility, so there are different standards for different facilities, says Miller. It's important to keep up with what other facilities of a similar size are doing.

"You don't want to get too far behind, even if you can get away with it under HIPAA," says Miller. "There's a tendency among our clients to say, 'I'll put these policies in place and make it all pretty, and then I can let it go. I'm in compliance.' It's hard to get them to understand that they have to keep spending money and keep updating their security."

Another reason the emphasis on monitoring under The Joint Commission is important is that the commission has switched to unannounced surveys. Now facilities will have to demonstrate compliance without notice, and this could force them to be more proactive than they have in the past, Borten says.

"Right now, many organizations are in a reactive mode. If there's a breach, [they'll] react. But they're not taking concrete steps to go around and periodically monitor and be proactive, as The Joint Commission wants them to do."

What remains to be seen, Borten says, is whether Joint Commission surveyors, who traditionally focus on patient care, will have the expertise to really enforce the technical aspects of the privacy and security requirements. "How far they're going to drill down and how easy it's going to be to satisfy them on the security and privacy points, we're just going to have to wait and see," says Borten. "I'd like to see that be an impetus to organizations to make further changes. But I'm not sure that's going to happen.'

Differences in policy
Another aspect to consider is that some organizations may split their compliance functions between privacy and security officers tasked with handling HIPAA and other officials who focus on Joint Commission requirements, Miller says. Sometimes this split can cause confusion among staff members when the two sides write slightly different policies or when they interpret standards differently. So it's important for privacy and security officers to talk with those who handle Joint Commission requirements and to develop consistent policies and procedures.

"There can be a lack of uniformity in how the entity approaches these standards,' says Miller. "That can cause confusion about the same information. Your goal is that the people who are handling this protected information have a clear understanding of what their responsibilities are and that they're doing it in a uniform fashion." But if you keep these pointers in mind and communicate internally, it should be easy enough to satisfy The Joint Commission, Miller says, as long as you're up to date with your HIPAA compliance plans.

"[The Joint Commission] is taking a 50,000-ft view, and HIPAA comes down a level," says Miller. "From a compliance standpoint, if you comply with HIPAA, you should be okay with [The Joint Commission]."

Lauren McLeod is the editor of Briefings on HIPAA. She may be reached at This story first appeared in the July edition of Briefings on HIPAA, a monthly newsletter by HCPro Inc. For information on all of HCPro’s products, visit




FREE e-Newsletters Join the Council Subscribe to HL magazine


100 Winners Circle Suite 300
Brentwood, TN 37027


About | Advertise | Terms of Use | Privacy Policy | Reprints/Permissions | Contact
© HealthLeaders Media 2016 a division of BLR All rights reserved.