FacebookTwitterLinkedInEmailPrint
This entry is part 10 of 48 in the series HIPAA Security Risk Analysis Tips

 

One of the sub-steps, if you will, in completing the Risk Determination step as part of doing a HIPAA Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)) is to Document Present Security Controls.  Here’s today’s big tip — Use the security controls bible!  Read more…

For each Information Asset identified in your Inventory Asset Inventory process, (e.g., systems, databases, major hardware, network equipment, operating systems, and application software), you need to document what present safeguards and controls are in place.  Read HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals  for more on completing a HIPAA Security Risk Analysis.

We recommend you work through this process, asset-by-asset as it can be very detailed and time-consuming work.

Starting with your first Asset, list any and all security controls that you believe to be in place for this Asset.  In other words, describe how the confidentiality, integrity and availability of this Asset are being protected presently.  This work should include consideration of all administrative, physical and technical safeguards.

Reference the security controls bible: NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations as an aid / guide / memory prompt.

The Clearwater HIPAA Security Risk Analysis ToolKit™ includes a worksheet from which you copy/paste relevant security controls from the “SP800-53 Controls” worksheet into the “Risk Determination and Remediation” worksheet.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< Clearwater Risk Analysis ToolKitHIPAA Security Risk Analysis Tips – What’s a Threat Again? >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.
 
FacebookTwitterLinkedInEmailPrint