 |
Security Management Process: Risk Management-What to Do and How to Do ItIn our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process). This implementation specification is required. What to Do Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standard as outlined in 45 CFR 306(a). The general requirements are: 1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. How to Do It This implementation specification requires the covered entity to develop and implement a plan to manage risks that it identified in its Risk Analysis. The risk management plan will provide the foundation for implementation of the covered entity’s security policies and procedures. In preparing the plan, the covered entity may take into consideration the following factors under the “flexibility of approach” general rule that underpins the Security Rule: » “The size, complexity, and capabilities of the covered entity.” Risks change over time, so the covered entity must use ongoing efforts to ensure an acceptable level of risk. As an example, passwords must be changed on a regular basis to maintain an acceptable level of risk regarding unauthorized system access. Ed Jones, Author & Healthcare Authority Filed Under: HIPAA Law: Administrative Simplification |
Syndicate this site
Sign up for email updates
Follow HIPAA.com on Twitter
