The HIPAA Security Regulations have a compliance deadline of April 20, 2005. Compliance requires a complete inventory and analysis of all applications and information flows, as well as a complete health information Risk Analysis. In addition, all security compliance activities, policies, and procedures must be thoroughly documented.
Compliance with the Security Rule is not “just an IT department thing.” About half the requirements are administrative, and compliance involves everyone in your organization. HIPAA Security is all about having an information security process.
Compliance requires a top-to-toe evaluation of your organization’s systems and security practices and its existing policies and procedures.
Has your organization done all the documentation of systems, detailed risk analysis, policy & procedure implementation, and workforce security training needed to attain HIPAA Security Rule compliance?
Lewis Creek Systems HIPAA Security Compliance Services can provide the experienced assistance you need to meeting all the requirements of the Security Rule.
What Is Required for HIPAA Security Compliance?
The HIPAA Security Regulations require a number of actions to be taken, policies and procedures to be established, and technologies to be implemented. There are at least 50 high-level HIPAA Security Regulation details to be considered and acted upon to achieve compliance, and many of those details have multiple components.
The requirements of the Security Regulations are flexible, which allows covered entities to consider a wide variety of factors in defining what is “reasonable and appropriate.” But entities must also perform Risk Analysis and fully justify and document each action taken to satisfy the regulations. The preparations that must be undertaken to attain compliance are substantial.
For instance, CFR §164.308(a)(7), a single regulation section concerning Contingency Planning requires that a covered entity:
• Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.
This standard includes a number of implementation requirements that must be addressed for each system in order to meet the standard, including:
• Data Backup Plan
• Disaster Recovery Plan
• Emergency Mode Operation Plan
• Testing and Revision Procedures
• Applications and Data Criticality Analysis
Overall there are literally hundreds of details to be addressed, each requiring an understanding of the risks to information security as well as thorough justification and documentation of compliance actions taken.
What is the Compliance Process?
1) The first step in reaching compliance with HIPAA Security requirements is to perform a detailed assessment of information flows and analysis of risk exposures for all health information.
2) Technological or physical measures can be taken to reduce risk exposures and policies and procedures can be implemented to meet the extensive requirements in the rule as well as address the risks exposed in the analysis.
3) Once new policies, procedures, and practices are established, workforce training is conducted to meet requirements and enable the necessary institutional culture of privacy and security.
Lewis Creek Systems has the experience to assist you in all of these critical tasks, and provide complete Compliance Assessment Services if desired. Contact us for further information or a free preliminary quotation for services.
Go to the Services Overview