We assess and document compliance to:

  1. H.I.P.A.A.

  2. Sarbanes-Oxley (SoX)

  3. Gramm-Leach-Bliley Act (GLBA)

  4. Payment Card Industry (PCI) Data Security Standard

  5. N.I.S.T SP 800-30

  6. I.S.O. 27001/I.S.O. 17799

  7. SAS 70

  8. FERPA

  9. FISMA

  10. NERC

  11. Safe Harbor Act

H.I.P.A.A. implementation plan

The following 10-step plan is offered as a high-level guide of what needs to be accomplished.

  1. Formally appoint an Information Security Official to lead your organization's HIPAA Security remediation project. Doing this means you have already satisfied one of the security requirements. In an ongoing security program, this responsibility can be shifted to a group of appropriate individuals, but during the remediation effort, should really be led by one person.
  2. Create a team of stakeholders that can assist in completing the remaining tasks (HIPAA Security Committee). Because security compliance is an organizational (not just IT) goal, be sure to include members of finance, HR, HIM and the clinical departments in your committee.
  3. Perform a HIPAA evaluation which is commonly referred to as a HIPAA Gap Analysis. Take a look at each of the HIPAA standards and document your current compliance level.
  4. Create an inventory of all systems that maintain ePHI within the organization - and remember, this inventory should not be restricted to only systems managed by your Information Systems department. Any standalone departmental systems or databases that reside on the network should be included in this inventory.
  5. Perform an evaluation of each system to determine HIPAA compliance. Ask questions such as, "Do these systems have audit trail?", "Do these systems have a timeout function?", and "Are we managing who has access to these systems and who does not?"
  6. Begin the process of Risk Analysis to identify all reasonable risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You can use the NIST SP800-30 as a guide; an updated draft version is currently available for download (http://csrc.nist.gov/publications/nistpubs/). You can begin this process by having a brainstorming session to identify all vulnerabilities to the organization. Many organizations are creating mechanisms for employees to report risks and vulnerabilities to the information security officer. External firms can assist you in this effort and offer an objective way to identify risks and vulnerabilities within networks, operating systems, firewalls, administrative controls, and physical controls. After you have identified the vulnerabilities, it is important that you determine the probability that the risk will occur and the impact to the organization. With this information, you can classify vulnerabilities and risks; one example of this might be as Very High, High, Medium, and Low.
  7. After you have identified the vulnerabilities within the organization, perform Risk Management to determine the actions to take for each risk or vulnerability. The options can include:
    1. Mitigate
    2. Transfer
    3. Watch
    4. Accept
  8. Create an action plan to implement the recommended safeguards.
  9. Create policies to guide the organization for each of the HIPAA standards. Word to the wise: HIPAA requires that organizations address and document their compliance for each of the 54 standards and implementation features. At this late date, it may be beneficial to purchase templates. Finally, if you purchase policies, you must evaluate them and make sure that they reflect your corporate culture and that you are prepared to follow the policies.
  10. Implement the recommended safeguards.

If you follow these guidelines, you will be on your way to HIPAA compliance.

Please submit your payment of $999.00 for a complete Regulatory Compliance Assessment for one applicable regulation.

Business Name:
Contact Information:
Email Address:
URL or IP address:

Other members of our business group:
Cloud-Security.us | US-scada.com

COPYRIGHT (C) 2000 - 2011 InfoSecPro.com ALL RIGHTS RESERVED