With SOX specifically, I've heard that auditors' expectations are evolving. In other words, what was good enough last year isn't necessarily good enough this year. Are you seeing the same thing happening with HIPAA? If so, what do I need to do to make sure my health care customers are meeting those expectations?
All Covered Entities, except small health plans, were required to be compliant with the HIPAA Privacy Rule on April 14, 2003. In addition, all Covered Entities, except small health plans, were required to be compliant with the HIPAA Security Rule on April 20, 2005. For the purposes of this answer, we will focus on the Security Rule.
The first standard under the Administrative Safeguards section is the Security Management Process. The purpose of this standard is to establish the administrative processes and procedures that a Covered Entity will use to implement a security program within their environment. The four implementation specifications under this standard include: Risk Analysis, Risk Management, Sanction Policy and Information Security Activity Review. The first two are of importance, as they are critical to a Covered Entities' Security Rule compliance efforts. The results from the Risk Analysis and Risk Management processes are the baseline for all security processes and compliance levels within the Covered Entity.
Therefore, in order to ensure your customers are meeting the expectations of the Security Rule, it is imperative that such customers have a well-defined, documented and implemented Risk Analysis process. The Risk Analysis process identifies potential security risks and determines the probability of occurrence and magnitude of such risks. If a Covered Entity is continuously aware of the risks effecting EPHI and knows the probability and magnitutude of said risks, they can address them, either through mitigation or acceptance in a shorter period of time, thereby continuing their efforts to be compliant against the Security Rule.
It is also equally important that a Covered Entity has a well-defined, documented and implemented Risk Management Process. This process is used to identify and implement security measures to reduce the risk to a reasonable and appropriate level within the Covered Entity. Again, if the Covered Entity is aware of the risks affecting EPHI and have a process in place to implement the appropriate security controls to mitigate these risks, they are continuing their efforts to be compliant against the Security Rule.
In summary, the best way to ensure your customers are meeting all expectations within the Security Rule, is to make certain they have the Risk Analysis and Risk Management Processes in place, and are using such processes to identity and mitigate any risks that arise.
For more information on helping your customers comply with HIPAA and other federal regulations, visit our regulatory compliance resource center.
Dig Deeper on Regulatory compliance with cybersecurity laws and regulations
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.