The HIPAA Security Final Rule requires all that all Covered Entities and Business Associates (and, soon likely, their sub contractors) complete a Risk Analysis. The risk analysis requirement is specified in 45 C.F.R. § 164.308(a)(1)(ii)(A) Risk Analysis and is known as an Implementation Specification. Risk Analysis is one of four Implementation Specifications that are part of […]
Invariably, in our Live Web Events, we are asked something along the lines: can we just do the Risk Analysis on our EHR system (and not on other systems/media/applications that handle ePHI)? Here’s today’s big tip – NO! And, in the words of OCR attorneys at the recent NIST-OCR HIPAA Secuity summit in DC, organizations that narrow […]
We sometimes refer to a real HIPAA Security Risk Analysis as getting into the “trees and weeds”. With a rigorous Security Risk Analysis and Management Methodology, it is easy to be swallowed up in these details. Here’s today’s big tip – Keep an eye on the Big Picture. Don’t lose sight of your business risk management goals. Here’s […]
The HIPAA Security Final Rule, reinforced by the HITECH Act, requires every CE and BA, in accordance with the security standards general rules (§164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.” Here’s today’s big tip – Know the letter and the intent of […]
In July 2010, HHS and OCR issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. Security Risk Analysis is not “star wars” technology nor a news flash. There are many ways to go about it. OCR frankly doesn’t care what methodology you use as long as your approach incorporates what they identified as nine (9) essential elements in their guidance. Here’s today’s big tip — Don’t re-invent the wheel! Follow OCR Guidance and adopt a proven, highly trusted methodology. Here’s how…
I admit that I have become so steeped in HIPAA subject matter, in general, and the process of completing a HIPAA Security Risk Analysis, in particular, that I forgot that many organizations are just starting out. This post is aimed at getting back to basics. Here’s today’s big tip – Get a quick baseline education… here’s how…
I’m a big […]
Many organizations are looking for a simple hipaa security checklist to help them complete the HIPAA Security Risk Analysis (per 45 CFR 164.308(a)(1)(ii)(A)) for a variety of reasons. The two most prevalent reasons are: 1) compliance with the HIPAA Security Final Rule; and, 2) in the case if eligible hospitals and eligible providers seeking Meaningful Use […]
Although HIPAA Security Final Rule required a Risk Analysis be completed and updated by April 2005, many organizations are just getting started.
It’s not optional! You must perform a HIPAA Security Risk Analysis (45 C.F.R. § 164.308(a)(1)(ii)(A)). Forget HIPAA! Forget the upcoming mandatory HIPAA audits!
If you want to exercise due care in standing up your privacy […]
Regardless of the risk analysis methodology employed, your work must include these elements, HHS / OCR provided final guidance on completing a HIPAA Security Risk Analysis (45 C.F.R. § 164.308(a)(1)). Regardless of methodology (and some don’t make the grade!), HHS/OCR cites nine (9) essential elements that must be included in your risk analysis. Here’s a […]
One of the sub-steps, if you will, in completing the Risk Determination step as part of doing a HIPAA Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)) is to Document Present Security Controls. Here’s today’s big tip — Use the security controls bible! Read more…