Risk Assessment Essential HITECH Step

Helps with HIPAA Security Rule compliance
Risk Assessment Essential HITECH Step
A critical first step down the path toward HITECH Act compliance is conducting a thorough risk assessment, an official with the agency enforcing compliance says.

That's why the HHS Office for Civil Rights has issued draft guidance on risk assessments, says Marissa Gordon-Nguyen, an OCR health information privacy specialist. The office will revise the guidance, the first in a series of educational materials mandated by the HITECH Act , based on public comments.

As a result of HITECH, the OCR now enforces the toughened HPAA security as well as privacy rules.

A thorough risk assessment supports compliance with all aspects of the HIPAA Security Rule and helps "reduces risk to a reasonable and appropriate level," Gordon-Nguyen says.

Security must be addressed "every step of the way, not just after the fact once a system is deployed," she adds.

The National Institute of Standards and Technology is developing a risk management framework that will prove helpful for healthcare organizations that are conducting risk assessments, says Pat Toth, information security specialist at NIST.

The framework, a work in progress, eventually will spell out six steps:

Categorize information systems as to what impact they would have if information within them is compromised.

  • Select security controls.
  • Implement security controls.
  • Assess security controls to make sure they're effective.
  • Prepare documentation to authorize the use of specific information systems.
  • Monitor the state of security.

NIST has developed a one-day training course on the six step framework and soon will make available a two-hour web-based training session.

Toth and Gordon-Nguyen made their comments May 11 in Washington, D.C., at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by OCR and NIST.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.