Corporate Compliance

Tip: Three steps to satisfy HIPAA security

Compliance Monitor, February 2, 2005

If you neglected to consider the looming security deadline when you made your New Year's resolutions, it's not too late. This is the year you can whip your facility into tip-top security compliance.

Chris Apgar, CISSP, president of Apgar and Associates, LLC in Portland, OR, offers the following HIPAA security New Year's resolutions for your facility:

1. Review your compliance progress. By now, you should have a program in place to move your organization toward HIPAA-security compliance. That doesn't mean you must be 100% ready now. You still have time, but the clock is ticking.

2. Reassess your training program. Does the HIPAA training program you use work? Ask staff whether they feel comfortable with the general training they receive and what other information they want. Provide specialized training for employees who work in specific areas (i.e., network engineers, medical records department employees, etc.)

3. Review and modify your original risk assessment and develop your audit program. Your initial analysis should have helped determine the flow of ePHI in your organization and enabled you to create and enforce security policies and procedures to fill security gaps. To make sure you targeted the correct areas,

  • review all critical systems that process ePHI or other sensitive information and document the purpose of these systems and the flow of information.
  • identify potential vulnerabilities to evaluate the likelihood and effects of the risks you determined in your analysis. Audit areas of weakness.
  • determine whether the areas you initially selected are still the most vulnerable and whether the safeguards you developed have worked thus far.

Editor's note: Adapted from "Ring in the New Year with seven steps to satisfy HIPAA security," Briefings on HIPAA, January 2005.

Most Popular