HIPAA Compliance - What does it mean?

Most health care providers still have a substantial amount of planning and task execution ahead of them. Fortunately for most of us, many of the security requirements are processes we are currently utilizing in some way. Now is the time to review each of the security requirements, determine and document your compliance level, and then make an action plan to accomplish compliance. The following 10-step plan is offered as a high-level guide of what needs to be accomplished. This should assist you in getting this important project started.

  1. Formally appoint an Information Security Official to lead your organization's HIPAA Security remediation project. Doing this means you have already satisfied one of the security requirements. In an ongoing security program, this responsibility can be shifted to a group of appropriate individuals, but during the remediation effort, should really be led by one person.
  2. Create a team of stakeholders that can assist in completing the remaining tasks (HIPAA Security Committee). Because security compliance is an organizational (not just IT) goal, be sure to include members of finance, HR, HIM and the clinical departments in your committee.
  3. Perform a HIPAA evaluation which is commonly referred to as a HIPAA Gap Analysis. Take a look at each of the HIPAA standards and document your current compliance level.
  4. Create an inventory of all systems that maintain ePHI within the organization - and remember, this inventory should not be restricted to only systems managed by your Information Systems department. Any standalone departmental systems or databases that reside on the network should be included in this inventory.
  5. Perform an evaluation of each system to determine HIPAA compliance. Ask questions such as, "Do these systems have audit trails?", "Do these systems have a timeout function?", and "Are we managing who has access to these systems and who does not?"
  6. Begin the process of Risk Analysis to identify all reasonable risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.


We can begin this process by having a brainstorming session to identify all vulnerabilities to the organization. Many organizations are creating mechanisms for employees to report risks and vulnerabilities to the information security officer. Hammond & Associates can assist you in this effort and offer an objective way to identify risks and vulnerabilities within networks, operating systems, firewalls, administrative controls, and physical controls. After we have identified the vulnerabilities, it is important that you determine the probability that the risk will occur and the impact to the organization. With this information, we can classify vulnerabilities and risks; one example of this might be as Very High, High, Medium, and Low.

  1. After we have identified the vulnerabilities within the organization, we perform Risk Management to determine the actions to take for each risk or vulnerability. The options can include:
    1. Mitigate
    2. Transfer
    3. Watch
    4. Accept
  2. Hammond & Associates can create an action plan to implement the recommended safeguards.
  3. We can help you create policies to guide the organization for each of the HIPAA standards. Word to the wise: HIPAA requires that organizations address and document their compliance for each of the 18 standards and implementation features. Finally, if you create policies, you must evaluate them and make sure that they reflect your corporate culture and that you are prepared to follow the policies.
  4. Implement the recommended safeguards.

Top

 

Home | About Us | Business Systems | HIPAA Compliance
Graphics/Web Design | Contact Us