Security Management

The first section under the Administrative Rules area is Security Management. The rule states that organizations must Implement Policies and Procedures To Prevent, Detect, Contain, and Correct Security Violations. This covers a lot of area. The first item in this section is a required item. Organizations MUST perform a risk analysis of potential risks and vulnerabilities to EPHI.

This risk analysis must document where EPHI is present and what risks and vulnerabilities are present at each of these locations. For most agencies the Health Care Application they use is probably the key area for this issue. Document what areas of your organization has access to this data, who has access and what potential risks are involved.

There are several other items in this section that further describe Security Management items. I will detail them in subsequent posts. For now think about how you are going to perform your Risk Analysis and how you are going to document it.