HIPAA Blog

[ Wednesday, September 28, 2016 ]

HHS' HIPAA guidance doesn't reach NIST standards: That's the GAO's conclusion, and they're right. However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required. HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the infrastructure, much less the potential risk of loss or breach, that would warrant a full-blown CSF-compliant security plan.

Expectations and requirements must both be reasonable. HIPAA-covered entities should look at CSF, especially the crosswalk provided by OCR. But don't feel inadequate if you can't hit every target; instead, try for the reasonable stuff. Besides, your Privacy Rule compliance is going to give you a lot more comfort in meeting Security Rule requirements than fretting about technical compliance requirements that are beyond your organization's ability.

Jeff [1:09 PM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template