• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Security Management Process: Risk Management-What to Do and How to Do It

February 20, 2009 HIPAA Law No Comments

In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Security Management Process).  This implementation specification is required.

What to Do

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the general requirements of the security standard as outlined in 45 CFR 306(a).  The general requirements are:

1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under [the Privacy Rule].
4. Ensure compliance with this subpart by its workforce.

How to Do It

This implementation specification requires the covered entity to develop and implement a plan to manage risks that it identified in its Risk Analysis.  The risk management plan will provide the foundation for implementation of the covered entity’s security policies and procedures.  In preparing the plan, the covered entity may take into consideration the following factors under the “flexibility of approach” general rule that underpins the Security Rule:

» “The size, complexity, and capabilities of the covered entity.”
» “The covered entity’s technical infrastructure, hardware, and software security capabilities.”
» “The costs of security measures.”
» “The probability and criticality of potential risks to electronic protected health information.”

Risks change over time, so the covered entity must use ongoing efforts to ensure an acceptable level of risk.  As an example, passwords must be changed on a regular basis to maintain an acceptable level of risk regarding unauthorized system access.

Tags: Administrative Safeguard Standardcovered entityelectronic protected health informationHIPAA Administrative Simplificationimplementation specificationPrivacy RuleRisk AnalysisSecurity Management Process
No Comments
Share
0

You also might be interested in

The Definition of Vendor of Personal Health Records

May 11, 2009

This posting is one of several that outline the HITECH[...]

HIPAA Final Rule: Security Standards, General Rules & Administrative Safeguard Modifications

Feb 5, 2013

February 5, 2013.  Today, we cover the modifications to Security[...]

CMS Issues New and Updated HIPAA and HITECH Act FAQs: EHR Incentives

Aug 26, 2009

The Centers for Medicare and Medicaid Services (CMS) periodically issues[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next