Risk Assessment Essential HITECH StepHelps with HIPAA Security Rule compliance
That's why the HHS Office for Civil Rights has issued draft guidance on risk assessments, says Marissa Gordon-Nguyen, an OCR health information privacy specialist. The office will revise the guidance, the first in a series of educational materials mandated by the HITECH Act , based on public comments.
As a result of HITECH, the OCR now enforces the toughened HPAA security as well as privacy rules.
A thorough risk assessment supports compliance with all aspects of the HIPAA Security Rule and helps "reduces risk to a reasonable and appropriate level," Gordon-Nguyen says.
Security must be addressed "every step of the way, not just after the fact once a system is deployed," she adds.
The National Institute of Standards and Technology is developing a risk management framework that will prove helpful for healthcare organizations that are conducting risk assessments, says Pat Toth, information security specialist at NIST.
The framework, a work in progress, eventually will spell out six steps:
Categorize information systems as to what impact they would have if information within them is compromised.
- Select security controls.
- Implement security controls.
- Assess security controls to make sure they're effective.
- Prepare documentation to authorize the use of specific information systems.
- Monitor the state of security.
NIST has developed a one-day training course on the six step framework and soon will make available a two-hour web-based training session.
Toth and Gordon-Nguyen made their comments May 11 in Washington, D.C., at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and NIST.