Security Management Process: Risk Management-What to Do and How to Do It

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process).  This implementation specification is required. What to Do Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standard as outlined in 45 CFR 306(a).  The general requirements are: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. 3. Protect against any reasonably…

READ MORE

Security Management Process: Risk Analysis-What to Do and How to Do It

Security Management Process is the first administrative standard of the Security Rule, and Risk Analysis is the implementation specification.  Each covered entity is required to conduct a risk analysis or assessment to determine vulnerabilities and threats and to identify and put in place risk mitigation measures for safeguarding electronic protected health information.  Electronic protected health information is the content of the HIPAA Administrative Simplification Standard Transactions and of the expected growing adoption of clinically-based electronic health record systems. What to do:  Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. How to…

READ MORE