
	Home > Ask the Security Channel Experts > Security Management Questions & Answers > Maintaining HIPAA compliance

Ask The Security Channel Expert: Questions & Answers

EMAIL THIS

Maintaining HIPAA compliance

EXPERT RESPONSE FROM: Felicia Wetter

		Pose a Question

		Other Security Channel Categories

		Meet all Security Channel Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 25 October 2006
With SOX specifically, I've heard that auditors' expectations are evolving. In other words, what was good enough last year isn't necessarily good enough this year. Are you seeing the same thing happening with HIPAA? If so, what do I need to do to make sure my health care customers are meeting those expectations?

All Covered Entities, except small health plans, were required to be compliant with the HIPAA Privacy Rule on April 14, 2003. In addition, all Covered Entities, except small health plans, were required to be compliant with the HIPAA Security Rule on April 20, 2005. For the purposes of this answer, we will focus on the Security Rule.

The first standard under the Administrative Safeguards section is the Security Management Process. The purpose of this standard is to establish the administrative processes and procedures that a Covered Entity will use to implement a security program within their environment. The four implementation specifications under this standard include: Risk Analysis, Risk Management, Sanction Policy and Information Security Activity Review. The first two are of importance, as they are critical to a Covered Entities' Security Rule compliance efforts. The results from the Risk Analysis and Risk Management processes are the baseline for all security processes and compliance levels within the Covered Entity.

Therefore, in order to ensure your customers are meeting the expectations of the Security Rule, it is imperative that such customers have a well-defined, documented and implemented Risk Analysis process. The Risk Analysis process identifies potential security risks and determines the probability of occurrence and magnitude of such risks. If a Covered Entity is continuously aware of the risks effecting EPHI and knows the probability and magnitutude of said risks, they can address them, either through mitigation or acceptance in a shorter period of time, thereby continuing their efforts to be compliant against the Security Rule.

It is also equally important that a Covered Entity has a well-defined, documented and implemented Risk Management Process. This process is used to identify and implement security measures to reduce the risk to a reasonable and appropriate level within the Covered Entity. Again, if the Covered Entity is aware of the risks affecting EPHI and have a process in place to implement the appropriate security controls to mitigate these risks, they are continuing their efforts to be compliant against the Security Rule.

In summary, the best way to ensure your customers are meeting all expectations within the Security Rule, is to make certain they have the Risk Analysis and Risk Management Processes in place, and are using such processes to identity and mitigate any risks that arise.

For more information on helping your customers comply with HIPAA and other federal regulations, visit our regulatory compliance resource center.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	Hardening Linux as part of your client's network security policy
	Implementing wireless LAN security policies for mobile users
	Should hotfix testing be performed by the QA department or by support?
	Complying with the Federal Information Security Management Act (FISMA)
	Automated patch management for SMB customers
	Understanding ISO 27001 and ISO 17799
	How do I create a repeatable patch testing methodology?
	Creating security policies for an enterprise customer
	Implementing third-party patches on customer systems
	Patch management system post-deployment considerations for VARs and consultants

Regulatory Compliance

Red Flags Rules compliance: Are your customers informed?

PCI compliance guide: A resource for solution providers

PCI DSS pre-assessment services: Prelude to a QSA

The impact of PCI compliance on the channel

Compliance drives opportunities for security integrators

How to turn the HIPAA compliance changes into opportunities

Data protection services offer revenue for security solution providers

Agiliance and McAfee partner for better governance, risk and compliance services

SonicWall announces partnership with Western NRG

Building a framework-based compliance program

HIPAA security and compliance issues

HITECH Act incentives translate to opportunities for VARs

New HITRUST certification offered for solution providers

How to turn the HIPAA compliance changes into opportunities

HIPAA privacy regulations get some teeth: Be prepared

HIPAA Compliance Guide

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy