A guide to help healthcare organizations understand the HIPAA Security Rule.This article is an excerpt from our ebook, Diagnosing HIPAA Security. To download your free copy of the complete ebook, click here.
‘I know HIPAA is required, and I know it’s important, I just don’t know what exactly HIPAA requires me to do.’
Don’t feel bad if this statement sounds all too familiar. Many doctors, nurses, office managers, and healthcare professionals we talk to share the same confusion over HIPAA compliance. Unfortunately, noncompliance with the HIPAA standards puts organizations at greater risk now than ever before.
Risk AnalysisThe HIPAA risk analysis is arguably the most important part of not only Security Rule compliance, but the entire HIPAA standard as well. The purpose of the risk analysis is to help covered entities identify (and document!) potential security risks (i.e. threats and vulnerabilities). Every security effort your organization makes will be determined by your risk analysis, so it’s critical to conduct a thorough and accurate assessment.
SEE ALSO: What Are Addressable HIPAA Requirements?
While the HHS has no specified method of conducting a risk analysis, there are some generally accepted steps that outline the process.
Here is an example risk analysis process.
- Identify the scope of the analysis
- Gather data
- Identify and document potential threats and vulnerabilities
- Assess current security measures
- Determine the likelihood of threat occurrence
- Determine the potential impact of threat occurrence
- Determine the level of risk
- Identify security measures and finalize documentation
The HHS has stated on multiple occasions that they will make examples of healthcare organizations that put PHI at risk. Given the stated importance and heavy consequences associated with the risk analysis, you may want to consider working with a HIPAA security expert.
SEE ALSO: 5 Steps to Making a Risk Assessment
Risk ManagementIn the risk analysis you identified the threats and vulnerabilities that expose your organization to potential risk. Now it’s time to add in some protection.
SEE ALSO: You May Not Be Done With HIPAA
Risk management is the second implementation specification of the Security Management Process. The risk management specification requires organizations to implement security controls that ‘reduce risks and vulnerabilities to a reasonable and appropriate level.'
There are many ways to approach risk management, but ultimately the process will consist of three main steps:
- Develop and implement a risk management plan: Create a plan of attack for how you will evaluate, prioritize, and implement security controls.
- Implement security controls: Begin your attack on risk. Implement security measures that address the greatest areas of risk. Prioritization will help you make the biggest impact on risk in the shortest amount of time.
- Evaluate and maintain security controls: Evaluate the security controls you’ve implemented and be sure to keep an eye out for new areas of risk.
This article is an excerpt from our ebook, Diagnosing HIPAA Security. To download your free copy of the complete ebook, click here.