September 29th HIPAA Security Seminar
Copyright 2005-2008, Edward Davis All Rights Reserved

Information System Activity Review

The final part of the Security Management section of the Administrative Rule is also a required component. Agencies must implement procedures to regularly review records of Information System activity such as audit logs, access reports, and security incident tracking reports. This basically means to find out what types of logs are available on your system, find out how to use them and regularly review the reports and logs to detect possible security issues or breaches. In some cases you may want to consider purchasing some type of logging software to make this task easier.

So the Required Tasks under the Security Management section of the Administrative Rule are:

• Risk Analysis
• Risk Management
• Sanction Policy
• Information System Activity Review

Sanction Policy - Required

Agencies must create and document policies that apply sanctions against employees who fail to comply with the agency's Security Policies and Procedures.

Basically you need to create the policies, train employees on the policies and sanctions, and then implement the policies.

The first 3 tasks under the Security management Area of the Administrative section are;

• Perform Risk Analysis
• Document Risk Management Measures
• Create Workforce Sanction Policies

Risk Management - Required

The first required task under the Security Management section of the Administrative Rules is to do a Risk Analysis. The Risk Analysis must be performed and documented. The next required task is Risk Management.

Risk Management requires that you document and implement security measures that address the items that were found during the Risk Analysis task. This task should generate several sub-tasks, many of which are requirements of other sections of the rule.

Security Management

The first section under the Administrative Rules area is Security Management. The rule states that organizations must Implement Policies and Procedures To Prevent, Detect, Contain, and Correct Security Violations. This covers a lot of area. The first item in this section is a required item. Organizations MUST perform a risk analysis of potential risks and vulnerabilities to EPHI.

This risk analysis must document where EPHI is present and what risks and vulnerabilities are present at each of these locations. For most agencies the Health Care Application they use is probably the key area for this issue. Document what areas of your organization has access to this data, who has access and what potential risks are involved.

There are several other items in this section that further describe Security Management items. I will detail them in subsequent posts. For now think about how you are going to perform your Risk Analysis and how you are going to document it.

Security Rule Basics

The HIPAA Security Rule requires that health care providers protect the confidentiality, integrity, and availability of all Electronic Protected Health Information (EPHI for the rest of this Blog).

The rule is divided into 3 sections; Administrative, Physical, and Technical. Each section has several standards that must be met. These standards come in 2 flavors, Required (must be addressed) and Addressable (must be addressed but the solution can be variable depending on specific scenario).

The Administrative section is the largest and is basically a list of policy and procedure requirements. The Physical section defines the requirements for physical security of your buildings, equipment, etc. The Technical section defines the requirements for securing access, integrity, and availability of your electronic data.

A copy of the HIPAA Security Rule can be found on our website. (You must have Acrobat Reader to view the document)

Welcome!

Welcome to our Blog dedicated to the upcoming HIPAA Security Rule. The rule will go into effect on 4/20/05. There are many aspects to meeting the requirements of this rule. We will use this blog to define the various aspects of the rule and to guide you in implementing the steps necessary to meet the requirements. We will post to this Blog at least weekly. If you have an RSS reader you can subscribe to this Blog to be notified when new posts have been made. If not, you can check here once or twice a week to view the most current posts and comments.

This Blog is meant to be a group discussion. Feel free to comment on any post by clicking on the Comments link. If you have ideas or questions on any of the posts submit a comment for all of us to view and discuss. You can also email the post to a colleague by clicking on the envelope button at the bottom of each post.

We hope this Blog will help you in implementing the HIPAA Security Rule.