Why Your IT Clients Need A HIPAA Risk Assessment
By Craig Taylor, Chief Security Officer, Neoscope Technology Solutions, ASCII Member since 2012
If your clients deal with healthcare records of any kind for Health Insurance Portability and Accountability Act (HIPAA) purposes, their business is considered either a covered entity or a business associate, and they should be preparing in earnest for Office of Civil Rights (OCR) HIPAA audits in 2015 and 2016. That preparation should include an examination of compliance with HIPAA’s Privacy, Security, and Breach Notification Rules. An entity’s compliance is best assessed by having a risk assessment conducted by a qualified security professional who examines the threats and vulnerabilities to physical and electronic HIPAA data (i.e., the risks) within an organization. A thorough and proper risk assessment by a qualified solutions provider will go two steps further by:
- estimating both the impact and probability of those risks to the entity
- working with the entity to identify mitigating controls to eliminate or reduce those risks to acceptable levels
OCR Audit Program
|
HITECH… requires [OCR] to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. |
Back in 2013 the OCR concluded its pilot HIPAA audit program of covered entities. After a three year hiatus, and in light of the massive Anthem security breach last year (69 million records compromised), the heat has been turned up on the OCR to ramp up their auditing and enforcement program as mandated by the HITECH Act.
Please log in or register below to read the full article.
Get unlimited access to:
Enter your credentials below to log in. Not yet a member of VAR Insights? Subscribe today.