The following 10-step plan is offered as a high-level guide of what needs to be accomplished.
- Formally appoint an Information Security Official to
lead your organization's HIPAA Security remediation project.
Doing this means you have already satisfied one of the security
requirements. In an ongoing security program, this responsibility
can be shifted to a group of appropriate individuals, but
during the remediation effort, should really be led by one
- Create a team of stakeholders that can assist in completing
the remaining tasks (HIPAA Security Committee). Because
security compliance is an organizational (not just IT) goal,
be sure to include members of finance, HR, HIM and the clinical
departments in your committee.
- Perform a HIPAA evaluation which is commonly referred
to as a HIPAA Gap Analysis. Take a look at each of the HIPAA
standards and document your current compliance level.
- Create an inventory of all systems that maintain ePHI
within the organization - and remember, this inventory should
not be restricted to only systems managed by your Information
Systems department. Any standalone departmental systems
or databases that reside on the network should be included
in this inventory.
- Perform an evaluation of each system to determine HIPAA
compliance. Ask questions such as, "Do these systems
have audit trail?", "Do these systems have a timeout
function?", and "Are we managing who has access
to these systems and who does not?"
- Begin the process of Risk Analysis to identify all reasonable
risks and vulnerabilities to the confidentiality, integrity,
and availability of ePHI. You can use the NIST SP800-30
as a guide; an updated draft version is currently available
for download (http://csrc.nist.gov/publications/nistpubs/).
You can begin this process by having a brainstorming session
to identify all vulnerabilities to the organization. Many
organizations are creating mechanisms for employees to report
risks and vulnerabilities to the information security officer.
External firms can assist you in this effort and offer an
objective way to identify risks and vulnerabilities within
networks, operating systems, firewalls, administrative controls,
and physical controls. After you have identified the vulnerabilities,
it is important that you determine the probability that
the risk will occur and the impact to the organization.
With this information, you can classify vulnerabilities
and risks; one example of this might be as Very High, High,
Medium, and Low.
- After you have identified the vulnerabilities within
the organization, perform Risk Management to determine the
actions to take for each risk or vulnerability. The options
- Create an action plan to implement the recommended safeguards.
- Create policies to guide the organization for each of
the HIPAA standards. Word to the wise: HIPAA requires that
organizations address and document their compliance for
each of the 54 standards and implementation features. At
this late date, it may be beneficial to purchase templates.
Finally, if you purchase policies, you must evaluate them
and make sure that they reflect your corporate culture and
that you are prepared to follow the policies.
- Implement the recommended safeguards.
If you follow these guidelines, you will be on your way to HIPAA compliance.