RISK ANALYSIS - A HIPAA SECURITY REQUIREMENT
The HIPAA Security Rule is all about implementing effective risk management to adequately and effectively protect Electronic Protected Health Information (EPHI). The assessment, analysis, and management of risk provides the foundation of a covered entity’s, such as a hospital’s or a health system’s, Security Rule compliance efforts, serving as tools to develop and maintain a covered entity’s strategy to protect the confidentiality, integrity, and availability of EPHI.

All EPHI created, received, maintained, or transmitted by a covered entity is subject to the Security Rule. Covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or vulnerabilities to the security of EPHI.

Under the Security Rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities.

Has your organization completed the requirements of the HIPAA Security Rule’s risk analysis implementation specification?

The selection and specification of security controls can be accomplished as part of an organization-wide information security program that involves the management of organizational risk - that is, the risk to information, individuals, and the organization as a whole. The management of risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for an information system - the security controls necessary to protect individuals and the operations and assets of the organization.

In complying with the HIPAA Security Rule, covered entities such as hospitals and health systems must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304:
Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.”Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.”
Availability is “the property that data or information is accessible and useable upon demand by an authorized person.”

The HIPAA Security Rule requires that each covered entity – such as hospitals and health systems - must:
-Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits
-Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI
-Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule

Contact Steve.Ferrick@ecfirst.com or call 1.877.899.9974 x14 to discuss risk analysis, vulnerability assessment and other State & Federal requirements. ecfirst has significant experience enabling healthcare organizations conduct a HIPAA assessments. Talk to us to learn more about how we can help address your challenges with HIPAA compliance, including new requirements from the HITECH Act. Ask Steve for the executive brief PDF on Increased Mandates for Privacy & Security of Health Information, New Penalties Established to learn more about the HITECH Act requirements and recent fines from the FTC and HHS.

JUNE 4th 2009 WEBINAR: GETTING STARTED WITH ISO 27000

To learn more about the ISO 27000 global information standard, including ISO 27001 and ISO 27002, join cyber security and compliance expert, Ali Pabrai for the first of its type 60-minute webinar on Getting Started with ISO 27000. The ISO 27001 and ISO 27002 standards may be applied to address compliance requirements for U.S. federal (e.g. HIPAA, HITECH) and State regulations (e.g. California, Massachusetts and others). To register, please visit www.ecfirst.com or contact John Schelewitz@ecfirst.com or at 1.480.663.3225.