Products now available in the HSG Store. |
HIPAA Breach Notification Framework
Our HIPAA Breach Notification Framework walks you through the process of analyzing security incidents to determine what actions you must take to ensure your response complies with the HITECH Breach Notification requirements. The Framework discusses HITECH breach compliance in simple terms and uses twelve flowchart diagrams to help you navigate the process. It also includes tools and templates that help "jump start" your breach notification compliance initiative.
Buy Now...
Business Associate Agreement: a HITECH Ready Model Contract
Our model Business Associate Agreement includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links to the relevant statutory/regulatory authority that underpins each Contract clause. The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract.
Buy Now...
The Security Rule Under HITECH: a Business Associate Perspective First Edition
The most important step for building a "good SR compliance story" is for the business associate to get started. The approach in The Security Rule Under HITECH is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. The framework discussed throughout this document provides a good road map to follow.
Buy Now...
HIPAA Core Training Combo
This package includes the Breach Notification Simplified Training Module, the HIPAA Privacy Rule under HITECH Training Module, the HIPAA Security Rule Under HITECH Training Module and the HITECH and HIPAA Compliant Training Module all in one Combo Package. Buy all 4 for a little more than than the price of 3
Buy Now... |
Join Our Mailing List |
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter each month.
|
 |
HIPAA Survival Guide Subscription Plan |
 |
Cloud, Social Media, and Mobile Checklist Product Overview |
 |
Business Associate Agreement Product Overview |
 |
HIPAA / HITECH Core Training Product Overview |
 |
Privacy Rule Checklist Product Overview |
 |
Breach Notification Framework Product Overview |
|
|
Dear Carlos,
Welcome to our November 2013 HIPAA Compliance Newsletter.
Our article this month is entitled: Risk Assessments: A Foundational Methodology.
This article will provide an illustration of a foundational methodology that can be used to perform a Risk Assessment that complies with a critical Implementation Specification of the HIPAA Security Rule. It is also the topic of our next Webinar.
 |
HIPAA Survival Guide Subscription Plan |
FREE Webinar: A Risk Assessment Foundational Methodology
Webinar Description
This Webinar will provide an illustration of a foundational methodology that can be used to perform a Risk Assessment that complies with a mission critical Implementation Specification of the HIPAA Security Rule.
Date/Time
Thursday, November 14, 2013 2:00 PM - 3:30 PM EDT
Registration
Click here to register.
Only five hundred (500) seats are available so login in early if you would like to attend.
|
Omnibus Rule Ready™
HIPAA Risk Assessment Training - Our HIPAA Risk Assessment Training Module gets you up to speed on the mandatory HIPAA Security Rule's Risk Assessment implementation specification.
A Risk Assessment is required to comply with the HIPAA Security Rule and also to comply with Meaningful Use Stage I's Core Objective 15 and attestation.
A Risk Assessment is foundational to your HIPAA Security Rule compliance initiative and your Organization is likely to be found in "willful neglect" if you ignore this requirement.
|
HSG Announcements |
Join the Conversation
The HIPAA Survival Group on LinkedIn continues to be the go to place for meaningful discussion of HITECH / HIPAA issues. You will find many industry thought leaders and insiders sharing their views on the evolving compliance landscape.
Stay Connected
Want to stay updated throughout the month? Follow Carlos on Twitter by clicking on the badge below. If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs. Become a FanFollow us on FaceBook by becoming a fan of the HIPAA Survival Guide. Also, be sure to check out our HITECH Videos.
|
|
This article will provide an illustration of a foundational methodology that can be used to perform a Risk Assessment that complies with a critical Implementation Specification of the HIPAA Security Rule. It is also the topic of our next Webinar. Before you attempt a Risk Assessment ("RA") you must familiarize yourself with the RA "lingo." We covered the basic vocabulary in this article and therefore won't repeat it here.
A Risk Assessment in Seven Basic Steps?
There are a number of different frameworks available for conducting a Risk Assessment; the one that we present here is based on our best practices research.
- Gather data regarding existing Operations, Assets and Individuals.
-
Identify and document potential
Threats & Vulnerabilities.
- Assess current Security Controls.
- Determine the likelihood of a Threat.
- Determine the potential Impact of a Threat.
- Determine the level of Risk associated with Threat/Vulnerability pairs.
- Identify new/modified Security Controls and finalize documentation.
Notice that a Risk Assessment (see §164.308(a)(1)(A)) does not actually require that your Organization implement new Security Controls, it is a pure analysis exercise. Implementation takes place in the next specification "Risk Management."
Like all things related to HIPAA, the description of what to do is quite simple compared to the actual doing, but not necessarily easy. In the next section we will cover the details of what it means to walk through these seven steps.
The Devil is in the Details?
Although "successfully" conducting a Risk Assessment is certainly a non-trivial exercise, it is not nearly as daunting once you get a grasp of a few basic concepts. Further, although a Risk Assessment will almost always require the use of enabling technologies (e.g. network scanners, penetration testing tools, etc.) it is not something that should be just "thrown over the wall" to the information technology department. That's a recipe for failure. Like so many things related to the Security Rule, it is far more important to get the people and process components correct than to master the technical skills. You can readily get help with the latter.
|
About Us |
3Lions Publishing, Inc. is now the owner/operator of the HIPAA Survival Guide website and the official sponsor of this newsletter. Our mission is to bring you HITECH / HIPAA statutes and regulations in an easy to read and digestible format, products that help reduce the burden of compliance, and "news you can use" via our newsletter.
We take a partnering and collaborative approach to the marketplace. If you would like to see specific topics covered in this newsletter, or additional products, then please let us know.
Carlos Leyva, CEO 3Lions Publishing, Inc.
(800) 516-7903
|
|
|