By Alvin Fong, CISSP, and Katherine Keefe
For Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates starting their security journey, understanding the “lifecycle” of electronic protected health information (ePHI) is an integral piece of the HIPAA risk analysis. It is critical to know where it is “born,” where it “lives,” how it is transferred to and from third-party vendors and where it is destroyed. These entities can start by sitting down with key personnel and building an ePHI inventory through interviews and information systems assessments. For larger enterprises, various content management systems and security tools can automatically identify ePHI in the organization and systematically classify data.
Despite their importance, many risk analyses are insufficient. Some companies undergoing regulatory scrutiny by the Office of Civil Rights (OCR) discover that their previous cybersecurity/audit firm had conducted only a gap analysis which does not meet OCR’s audit protocol. To prevent this from happening to your organization, make sure to ask how the cybersecurity consulting organization’s approach addresses OCR’s requirements.[Read more…] about HIPAA Security Risk Analysis — How to Put It into Practice