Yesterday, 12/12/12, in an HHS News Release entitled “New tools to help providers protect patient data in mobile devices”, the U.S. Department of Health and Human Services (HHS) announced a new education initiative and “set of online tools” related to mobile devices such as laptops, tablets, and smartphones. Here’s today’s big tip — There’s Good News and Bad News in this News Release!
HIPAA Security Risk Analysis Tips – HHS Mobile Device Guidance
I have mixed feelings about this announcement.
On the one hand, good! — We certainly know from numerous sources that there are a lot on knuckleheads (healthcare term of endearment) out there that are simply ignoring basic hygiene, like duh(!), really(?), you haven’t encrypted laptops, tablets, and smartphones yet? Heeelllooo! It’s the new millennium.
On the other hand, bad! — After all, this is healthcare and since when do we write the same “one size fits all prescription” for all that ails ya!? How would you like it if your doc ordered the same set of tests and or same set of scripts or same set of other orders for all of her patients? I supposed she’d like that too! Less thinking! More consistent coding and billing! Probably more revenue!
So, what’s a responsible risk manager to do?? (That means you! CISO, CPO, CIO, CFO, CxO and, of course, you, VITO = Very Important Top Official).
Yes, there are always good or best practices to consider and, possibly, implement.
At the same time, Director Rodriquez and ONC Chief Privacy Officer Pritts, you have both advocated the more, may I say, comprehensive and intelligent approach to information security which is to start by completing an authentic Risk Analysis required at 45 CFR §164.308(a)(1)(ii)(A). It makes the world of sense. Encourage organizations to understand their specific ailments (risks/exposures) before ordering the same set of controls/safeguards for everyone.
Which is it? HIPAA Security Rule “Flexibility of Approach” at 45 CFR §164.306(b) whereby I’m encouraged to take stock of my specific risks and business situation …
Chase after the then-latest “infosec boogeyman” like a soccer team of 5-year-olds who run wherever the ball happens to be?
Refresh your memory on the HIPAA Security Risk Analysis requirement:
45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process
(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Learn more About Doing an authentic HIPAA Security Risk Analysis…
The HIPAA Security Rule (at 45 C.F.R. §164.308(a)(1)(ii)(A)) requires an initial security risk analysis according to risk analysis guidance issued by HHS/OCR based on NIST standards. The one-of-a-kind Clearwater HIPAA Risk Analysis is guaranteed to simplify that process, immediately identify threats and vulnerabilities and make risk analysis less overwhelming.
OCR Audit Protocols for Risk Analysis are clear! CMS, as planned, has launched audits of organizations who have attested to Meaningful Use Objectives and Risk Analyses will be audited. Have you completed a bona fide HIPAA Security Risk Analysis?
The subscription fee to the Clearwater HIPAA Risk Analysis™ is based on the size of the organization in an effort to make this powerful tool available to organizations of all sizes.
OR, call 800-704-3394 X3007 Today!