Home > Ask the Security Channel Experts > Security Management Questions & Answers > Maintaining HIPAA compliance
Ask The Security Channel Expert: Questions & Answers
EMAIL THIS

Maintaining HIPAA compliance

Felicia Wetter EXPERT RESPONSE FROM: Felicia Wetter

Pose a Question
Other Security Channel Categories
Meet all Security Channel Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 25 October 2006
With SOX specifically, I've heard that auditors' expectations are evolving. In other words, what was good enough last year isn't necessarily good enough this year. Are you seeing the same thing happening with HIPAA? If so, what do I need to do to make sure my health care customers are meeting those expectations?

>
EXPERT RESPONSE

All Covered Entities, except small health plans, were required to be compliant with the HIPAA Privacy Rule on April 14, 2003. In addition, all Covered Entities, except small health plans, were required to be compliant with the HIPAA Security Rule on April 20, 2005. For the purposes of this answer, we will focus on the Security Rule.

The first standard under the Administrative Safeguards section is the Security Management Process. The purpose of this standard is to establish the administrative processes and procedures that a Covered Entity will use to implement a security program within their environment. The four implementation specifications under this standard include: Risk Analysis, Risk Management, Sanction Policy and Information Security Activity Review. The first two are of importance, as they are critical to a Covered Entities' Security Rule compliance efforts. The results from the Risk Analysis and Risk Management processes are the baseline for all security processes and compliance levels within the Covered Entity.

Therefore, in order to ensure your customers are meeting the expectations of the Security Rule, it is imperative that such customers have a well-defined, documented and implemented Risk Analysis process. The Risk Analysis process identifies potential security risks and determines the probability of occurrence and magnitude of such risks. If a Covered Entity is continuously aware of the risks effecting EPHI and knows the probability and magnitutude of said risks, they can address them, either through mitigation or acceptance in a shorter period of time, thereby continuing their efforts to be compliant against the Security Rule.

It is also equally important that a Covered Entity has a well-defined, documented and implemented Risk Management Process. This process is used to identify and implement security measures to reduce the risk to a reasonable and appropriate level within the Covered Entity. Again, if the Covered Entity is aware of the risks affecting EPHI and have a process in place to implement the appropriate security controls to mitigate these risks, they are continuing their efforts to be compliant against the Security Rule.

In summary, the best way to ensure your customers are meeting all expectations within the Security Rule, is to make certain they have the Risk Analysis and Risk Management Processes in place, and are using such processes to identity and mitigate any risks that arise.

For more information on helping your customers comply with HIPAA and other federal regulations, visit our regulatory compliance resource center.

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
Security Management
Hardening Linux as part of your client's network security policy
Implementing wireless LAN security policies for mobile users
Should hotfix testing be performed by the QA department or by support?
Complying with the Federal Information Security Management Act (FISMA)
Automated patch management for SMB customers
Understanding ISO 27001 and ISO 17799
How do I create a repeatable patch testing methodology?
Creating security policies for an enterprise customer
Implementing third-party patches on customer systems
Patch management system post-deployment considerations for VARs and consultants

Regulatory Compliance Services
Channel Checklist: Top five PCI compliance mistakes and how to avoid them
How to establish decommissioning policies and procedures
Testing the firewall - Introduction
Working with Firewall Builder
Validated firewalls
Creating your checklist and Summary
Packet flow from all networks
System administration
PCI compliance: Web application firewall vs. code review
How will the planned changes in PCI-DSS affect the channel?

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
Browse our Expert Advice

HomeTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2006 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts