HIPAA Security Rule gap analysis
Web Site: http://m3ipinc.com
HIPAA is arguably the most challenging issue facing healthcare
organizations today. The Security Rule provisions of HIPAA are now
at the forefront of healthcare legislation in the United States,
and all healthcare providers will be held accountable for
compliance. These measures, although cost intrusive and time
consuming, will ultimately result in cost savings and increased
efficiencies across the entire healthcare industry.
Things to know about the HIPAA Security Rule:
What ? The rule applies to ePHI (electronic protected health
information), which is individually identifiable health information
in electronic form.
Who? Covered Entities (CE) must comply with the rules
requirements. CE's include:
Medicare Parts A, B and supplements
Veterans Health Care providers
Long-term health care
Health Care Providers
Health Care Clearinghouses
Community Health Information Systems
Community Health Management Systems
How? CE's must maintain reasonable and appropriate
administrative, physical and technical safeguards to protect
against any reasonably anticipated threats or hazards to the
security or integrity of ePHI.
Why? The basic premise of the Security Rule is to protect the
confidentiality, integrity and availability of ePHI when it is
stored, maintained or transmitted.
When? The final Security Rule will be effective as of April
21st, 2003. Most CE's must comply by April 21st, 2005. Small health
plans (those with yearly receipts of $5 million or less) will have
until April 21st, 2006.
What is a Gap Analysis?
A gap analysis provides for a analysis based on current best
practices and methodologies. It should focus on the following
current HIPAA safeguard standards:
The gap analysis should be based primarily on information
gathered by your organization and will involve extensive
information gathering and current-state assessments of your
controls and operational procedures by your own internal IT staff.
This method will provide:
Better Use of Resources
Greater Understanding of the I/T Infrastructure
Substantial Cost Savings
What the Gap Analysis provides?
The primary focus of the gap analysis is to evaluate the
information collected from the information gathering process
against the requirements of the HIPAA security rule. Once the
process is complete, you will have established the benchmark for
the mandated risk analysis. The risk assessment is actually the
basis for your decision making process as to what should be done to
mitigate the risk of an incident, how to implement those decisions
and what activities need to be documented. It will also provide the
groundwork for your on-going efforts in regards to protecting ePHI
(electronic protected health information). It should be broken down
into four phases:
Information Gathering Checklist
Questionnaire & Policy and Procedures Review
Summary of Gap Results
Some HIPAA security questions you should know the answers
Do you have security policy and procedure documentation?
Have you performed a detailed security audit with an action plan
within the last 6 months?
Have you provided for staff security awareness training?
Are there controls in place, in regards to what information
employees can access?
Is there a disaster recovery plan in place?
Are you using diligent authentication methods? (ie: strong
passwords, tokens, etc)
If you have a security policy in place, how often is it
reviewed? Every quarter? Every year?
Are there plans to do periodic testing and assessments of your
Do you have an Incident Response Team? If not, who should be on
A gap analysis should be used like a preliminary physical
examination. It provides you direction and allows you to establish
the complexity of the problems. Thus, it provides the roadmap so
that the on-going treatment plans that will make activities such as
in-depth risk analysis, vulnerability assessment and penetration
testing effective in helping cure the ailment, rather than merely
soothe the symptoms.
To respond to this or previous newsletters or to inquire about
an on-site presentation, please feel free to call us at
508-995-4933 or email us at [email protected]
Until next month.....
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Michael Desrosiers
© 2012-07-07 Michael Desrosiers