What is required for an information security risk analysis?
HIPAA Weekly Advisor, December 14, 2001
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What is required for an information security risk analysis?
A: HIPAA's requirement to conduct a risk analysis requires identification and documentation of threats and vulnerabilities. A risk analysis may examine an organization's computer systems and network, as well as physical security measures, existing policies and procedures, and employee awareness, attitudes, and workload.
Computer systems are examined for known vulnerabilities and elementary policy compliance. The network and information infrastructure are assessed for risk areas.
Administrative and physical threats and vulnerabilities are assessed throughout the organization's physical plant. An audit of policies and procedures and the organization's compliance with them is reviewed.
Finally, some organizations with mature security programs are having penetration tests performed to simulate an intrusion. All findings compiled during the risk analysis should be recorded.
From HIPAA Made Simple: A Practical Guide to Compliance. This book is a practical guide to implementing the HIPAA regulations and is geared toward helping to ease your workload in these demanding days of preparing for compliance. To learn more or to order, go to http://www.hcmarketplace.com/prod/showdetl.cfm?did=6&product_id=10819
Clarification
Last week's Question of the Week covered de-identifying data when releasing it to a direct mailing company for a hospital newsletter.
Mailing hospital newsletters to a large group, including patients, even if they contain "marketing" information about the hospital's services, does not require patient authorization or any other special action on the part of the hospital.
For certain marketing letters sent by hospitals, it is sufficient to include an "opt out" notice in the marketing letter. No authorization is required. This gives patient recipients the opportunity to and instructions for opting out of further marketing notices in the future, so the hospital must be prepared to handle such responses.
Further, if a hospital uses a business associate to prepare and/or mail the newsletter or a marketing letter on the hospital's behalf, no patient authorization is needed.
The above practices assume, however, that the hospital has already obtained patient consent, which is required by HIPAA prior to any patient care.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched