6.5 DOCUMENTATION, ANALYSIS AND RESULTS

Previous page
Table of content
Next page

6.5 DOCUMENTATION, ANALYSIS AND RESULTS

Your deliverables from the gap analysis should be as follows :

  1. A summary of the information collected during your information audit. This can be as simple as a directory listing on your network to several large notebooks containing the information in hardcopy, organized and indexed for easy reference. The key to the organization of your documentation is being able to find and update this information in the future because you have effectively created a valuable reference for your organization for continuing planning and auditing.

  2. A completed set of background interviews. This information can also be part of your reference documentation and should be organized by date, interviewee and topic.

  3. Completed questionnaires for both the HIPPA Security Assessment and the P&P review, summarizing the results across your organization. Depending on how you gathered your data using these tools, you will very likely have multiple versions of the questionnaires completed by various individuals or groups. You need to compile each of these tools into a master version upon which you can base your subsequent identification of gaps. The results should reflect the lowest common denominator across your agency, although important differences across sites should be acknowledged .

  4. An Analysis Report. This report should contain two key elements: a summary of the gaps relative to each part of the rule and the second is a summary matrix that provides management an overall presentation of how compliant the organization is with HIPAA and the areas where remediation are needed.

The rest of this section concentrates on how the analysis might be conducted and the results presented.

6.5.1 Remediation Options

Information system security is intended to protect both the systems and the information they contain from unauthorized access. Its application encompasses multiple safeguards that including hardware, software, personnel policies, information practice policies, disaster preparedness, and the oversight of all these areas. Through various security measures, a health information system can shield confidential information from unauthorized access, disclosure, and misuse, thus protecting the privacy of the individuals who are the recipients of the stored data.

Under HIPAA, the only necessity is that the requirements should be met, not that they be presented in the three major categories. An entity may choose to order these requirements in any way that suits their business. We have developed several general remediation categories. We then selected a set of representative actions for each area, backed by best practices, that we feel are most closely aligned with the description of each area. This allows you to compare with your gaps and see how their gaps ˜cluster', allowing your organization to focus on major solution areas rather than trying to close all the gaps on an individual basis. These areas can eventually be tied to your 'best practices' model for security implementation, tailored to the specific needs and business practices of your organization.

We have defined ten (10) basic remediation categories that can be used to help close the security gaps. These options reflect regulation requirements, industry best practices, and the standard use of information technology and automation at various organizations. You can present the results in matrix format that summarizes each section of the rule, the associated gaps, and the applicable remediation option(s) so that your organization can quickly review its compliance with the HIPAA security rule, identify where gaps exist, and propose a direction to alleviate these gaps. Table 7 summarizes a set of remediation options that can be directly related to a WBS activity model. This model can be implemented in MS Project and associated tools and resource costs can be assigned. The results of this analysis can then be used to develop an agency specific remediation plan for security, ultimately integrated with those for privacy and transaction sets, to create an overall approach for the agency to achieve HIPAA compliance.

Table 7: Definition of Remediation Options & WBS Activities

WBS ELEMENT

REMEDIATION OPTION

WBS ACTIVITY DESCRIPTION (BRIEF)

SECURITY RULE REFERENCE

1

Security Management Program

Formal and central management structure that creates, administers, and oversees security related policies and procedures to ensure the prevention, detection, containment, and correction of security breaches

§164.306

§164.308(a) - all

§164.308(a)(1)

§164.308(a)(2)

§164.308(a)(6)

§164.310(a)(1)

2

Business Continuity Planning and Disaster Recovery

Contingency planning to respond to a system emergency or disaster. Plans must be formally documented and periodically tested

§164.308(a)(7)

§164.310(a)(2)(i)

3

Policies and Procedures

An organizational framework that establishes needed levels of information security and privacy to achieve the desired confidentiality goals

§164.316

All related parts of rule that refer to P&Ps

4

Human Resource Policies and Procedures

Personnel security and other security related aspects of dealing with employees

§164.308(a)(3)

5

Business Associate Agreements

Contract between two business partners for the electronic exchange or handling of data, protecting the integrity and confidentiality of the data exchanged or handled

§164.308(b)(1)

§164.314

6

Security Training and Awareness

Education of the entity workforce regarding security and the reinforcement of that education through on-going reminders to create security awareness as part of the daily responsibilities in the organization

§164.308(a)(5)

7

System / Network Technical Architecture

Standards based architecture that addresses security issues and mitigates risk while meeting entity business and functional needs and requirements

§164.312 - all

8

Evaluation

Technical evaluation to establish the extent to which a particular computer system or network design and implementation meet a pre-specified set of security requirements

§164.308(a)(8)

9

System / Network Management & Administration

Standardized functions and services standardized applied uniformly through out the organization, centrally managed, and support to capacity planning and management operations

§164.310(d)

§164.312(b)

10

User Management, Support & Outreach

Management and support of the end-user environment, incorporating security requirements into the entities IT support structure, such as through user interactions with the helpdesk and on-line knowledge bases

§164.308(a)(4)

§164.308(a)(5)(i)(B)-(D)

§164.310(b)

§164.310(c)

§164.312(a)

The balance of this section expands on each of these areas:



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
Beginning Cryptography with Java
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Cisco IOS Cookbook (Cookbooks (OReilly))
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy