Overview:
Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule all electronic protected health information (e-PHI) created, received, maintained, or transmitted by a "covered entity" and "business associate" is subject to the Security Rule. If we assume that information technology powers modern health care, then it stores or disseminates most everything an entity might know about a patient. Thus, e- PHI security and privacy is fundamental and paramount.
The Security Rule requires entities to evaluate risks and vulnerabilities in their technology environments and to implement reasonable and appropriate security measures to protect e-PHI. The Office for Civil Rights (OCR), the security watchdog for the Department of Health and Human Services (DHHS), in particular, is responsible for
issuing annual guidance on the provisions in the HIPAA Security Rule.1 The OCR is also the body responsible for ensuring that covered entities are complying with the intent
of the Security Rule. From a compliance perspective then, it may seem especially wise to take heed to what the OCR is saying.
In its first guidance released on July 14, 2010,2 the OCR states "A risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information."
In short, an information technology risk analysis is the fundamental security cornerstone the DHHS expects covered entities to meet. As the OCR ratchets up its
compliance activities, as it has promised to do after the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, covered
entities who have not conducted an adequate.
A risk analysis using a risk-based approach is the very foundation from which to build your information security compliance program. Without this baseline, your organization is swimming aimlessly.
The OCR goes on to stress in its Guidance on Risk Analysis:
We note that some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST). NIST, a federal agency, publishes freely available material in the public domain, including guidelines. Although only federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI. Therefore, non-federal organizations may find their content valuable when developing and performing compliance activities.
So in short, OCR "suggests" that a covered entity might use the NIST risk-based approach for doing a risk analysis. Our view is that when CMS "suggests" something, it very much is like God telling you to do so. "Suggestion" is merely loosely worded as an imperative. Of course, other good risk frameworks exist, such as Control Objectives for
Information Technology (COBIT) developed by the Information Systems for Auditing and Control Association (ISACA), or Octave developed by the CERT institute at the
Carnegie-Mellon University. These frameworks may be used, but why bother? The NIST guidance, as provided in its Special Publication 800-30 and 800-30 rev1, is excellent, thorough, and easily tailored for small, medium, and large covered entities.
In short, any solution must encompass the 78 HIPAA Security Audit Protocols, as issued by the OCR, combined with the NIST SP800-30 rev1 methodlolgy. I believe only the software solutions that can simplify the rules, automate the risk analysis process and documentation which have passed numerous audits are worth considering.
Why should you attend: HIPAA doesn't require any specific certification to HIPAA Security Risk Analysis software or professional services. When is the investment needed for third-party professional services versus self-assessing? How do you know the software or firm hired is qualified to give your organization assurances for compliance and security? How can a tool scale up or down for smaller organizations and larger organizations with complex Parent-Child relationships (i.e. regional, county or national offices).
Group Health Plans, Hospitals, Clinics and Business Associates all have unique needs so selecting software tools that covers all the requirements while automating as much of the documentation and processes as possible is paramount. Attend this session to ensure the choices you make are guaranteed success for your organization's investment.
Areas Covered in the Session: