[ Wednesday, September 28, 2016 ]


HHS' HIPAA guidance doesn't reach NIST standards: That's the GAO's conclusion, and they're right.  However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required.  HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the infrastructure, much less the potential risk of loss or breach, that would warrant a full-blown CSF-compliant security plan.

Expectations and requirements must both be reasonable.  HIPAA-covered entities should look at CSF, especially the crosswalk provided by OCR.  But don't feel inadequate if you can't hit every target; instead, try for the reasonable stuff.  Besides, your Privacy Rule compliance is going to give you a lot more comfort in meeting Security Rule requirements than fretting about technical compliance requirements that are beyond your organization's ability.

Jeff [1:09 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template