[ Wednesday, August 27, 2003 ]


HIPAA Security tips from HIPAAcademy:

I think I have a link to these guys off on the left, but if not, you can find more information about them here. They have a "7 Steps" program on HIPAA security that looks pretty interesting.

I just gave a speech on HIPAA privacy and security yesterday in Houston, and as part of my Security speech I mentioned the driving elements of Confidentiality, Availability, and Integrity. Your systems and operations should be set up to ensure that PHI is kept confidential (the PHI is not available to anyone other than those with a need to access it for the benefit of the patient), is available (the PHI is available to those with a need to access it), and retains its integrity (is not changed, degraded, amended, deleted, or revised except when appropriate). Keep those three objectives in mind, and adopt policies and procedures to acheive them, and you will have gone a long way to being security-compliant.

HIPAAcademy's "seven steps" are useful when thinking about what you really need to do to achieve those three goals. The steps are:

1. Responsibility: someone must be the Security Officer and take charge of the entity's HIPAA efforts.
2. Analysis: the entity's systems and operations must be analyzed to determine the risk areas, weaknesses, and shortcomings.
3. Strategy: the entity's strategy for compliance, and its policies and procedures for achieving -- and maintaining -- security compliance must be formulated, articulated, revised, and kept current.
4. Remediation: the entity must remediate shortfall areas and cure potential risks highlighted by the risk analysis.
5. Third Parties: whether business associates or trading partners, the entity must see where risk areas involve others and take steps to minimize or fix them.
6. Training: the entity must train, retrain and refresh the training of its staff, officers, and others.
7. Evaluate: the entity must evaluate what it has done, what actions are effective and which ones are not, and fine-tune its systems and operations. The entity must constantly re-evaluate its security operations to make sure new threats or trouble spots are addressed.

All in all, a pretty good way to approach security compliance.

Jeff [10:32 AM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template