8.2 POSSIBLE PHASES OF THE HIPAA SECURITY RULE COMPLIANCE PROJECT

Previous page
Table of content
Next page

8.2 POSSIBLE PHASES OF THE HIPAA SECURITY RULE COMPLIANCE PROJECT

  • Project planning

  • System discovery and identification

  • Baseline existing systems with regard to the HIPAA security rule

  • Gap analysis, risk analysis, risk management and residual risk acceptance

  • Remediation projects-closing the gaps

  • Review and follow-up

8.2.1 Phase I-Project Planning-Putting together a successful HIPAA security rule project plan or roadmap

  • Need to have a mandate or project charter

    • Before you begin, your need a mandate or project charter from management

    • You need to authority or mandate to put together a HIPAA security rule project plan

  • HIPAA Security rule awareness training (for those directly involved with the HIPAA security project)

    • Checkout online resources like the CMS web site and related sites

    • Read books like SANS HIPAA SBS

    • Consult you companies legal and\or compliance department

    • Attend courses and seminars

  • Things you need to consider before you begin

    • Are you a covered entity? If so what kind of covered entity?

    • Security officer assignment, if possible (must have authority)

    • Need a mandate or project charter from management

  • Identify the HIPAA Security officer

    • Does not have to be the one implementing the plan

    • Does have to have the authority

    • Does not have to be in IT. Many think that since HIPAA security is more technical, IT should be the ones in charge. This is not necessarily true.

  • Define project scope and goals

    • Scope: what the project will and will not cover

    • The foundation of any successful project lies in having a clear understanding of the overall goals and objectives of the project.

    • Goals and objectives are 'what do we need to do?'

    • Without goals and objectives, how will you know you are finished or where you are in the project?

    • Decide on and document target HIPAA goals or performance objectives

    • Determine how you are going to measure project ˜success' or ˜failure'

  • Identify key players, potential road blocks and resources (friend and enemies of the project)

  • Clearly defined roles and responsibilities

  • Determine and document deliverables and milestones

  • Identify resources that can be used to address or work the plan

  • Need to have upper-management sign off on the plan

  • Identify who or what group will QA or review the plan

  • Determine risks to the project itself, what could go wrong with the plan?

  • Develop your project plan and the work breakdown structure (WBS)

    • Can use the HIPAA Security rule itself as a basis for the plan

  • If the HIPAA Security rule implementation specification is addressable, do you want to implement as-is or modify? To what extent?

8.2.2 Phase 2-System Discovery and Identification

  • Identify ePHI systems affected by the HIPAA Security Rule

    • System name and version (is it ˜HIPAA Security ready' according to the vender?)

    • System owner and contact, vender contact information

    • What kind of ePHI does the system have

    • Identify the flow of the ePHI. Where does the ePHI come from and where does it go.

    • General system information (See discovery questionnaire example).

    • Systems can include not only Applications and databases but also networks, groups of laptop users, lab systems, server room, building security, etc..

  • ID resources you many be able to use

  • HIPAA Security rule awareness training (staff and management)

  • Identify person responsible for completing the standard or specification and documenting it for each ePHI system.

  • Determine a completion date for System Discovery and Identification

  • Identify current policies and procedures for each system, if exists. This can be part of the baseline for comparisons to the HIPAA Security standards

  • Expect to find more systems affected by the HIPAA Security rule as you continue with the project but beware of scope creep.

8.2.3 Phase 3-Baseline existing systems with regard to the HIPAA security rule

  • Baseline using existing policies, standards, procedures and other pertinent information

  • Identify person responsible for completing the baseline and documenting it for each system.

  • Perform an inventory of the current security environment with respect to policies, procedures, processes and technology.

  • Develop a plan for baseline each system with respect to the HIPAA Security rule standards

  • Don't just inventory policies and procedures but investigate how the systems really used and where the ePHI goes.

  • Determine a target baseline completion date

  • Document the result, decide who needs to sign off on it

  • The Baseline is milestone and can be a deliverable in terms of the project plan

8.2.4 Phase 4-GAP analysis, risk analysis, risk management and residual risk acceptance

Gap Analysis

  • Identify the gap, (the difference between the baseline and company goal)

  • Identify any future company plans or projects that will affect the gap and will go into effect before the HIPAA Security rule compliance does.

  • Existing controls? (can include company HIPAA Privacy policy)

  • What is the difference between the baseline and the HIPAA Security implementation Specification for each system?

  • Risk Analysis

  • 'Risk analysis considers the various threats to security and then suggests the remedies that are the most cost-effective '

  • Identify and document who should be involved in risk analysts section

  • Consider scope (just ePHI systems or all systems?)

  • Determine the likely sources of risk to the system (for example: insiders vs. outsiders, public, users, others, groups, companies\organization, trading partners , business associates , etc )

  • Determine the likely threat vectors: (for example: physical access, internet, intranet, dial-up, etc..)

  • Determine the level of resources required to mitigate each threat source

  • Try and quantify each risk, use a standard scale or annual dollar amount loss

  • Consider new products (hardware, software, services, procedures, policies) to reduce risk

  • Document decisions and results

Risk Management

  • Determine level of acceptable risk

  • Have management agree to this level of risk in writing and with full knowledge of the risk

8.2.5 Phase 5-Closing the gaps, remediation projects

  • Identify and verify HIPAA Security items completed

  • Identify HIPAA Security items not completed

  • Identify systems for testing

  • Add to Task\Action item list or matrix

Action item \ Task List Matrix

  • See below

Project planning and scheduling

  • Include deliverables and milestones

  • Include WBS

  • Identify critical paths

  • Update MS Project plan

    • Cost, resources, time, etc

    • P&P

    • System upgrades or new systems installs

    • New system and P&P training

8.2.6 Phase 6-Review and follow-up

Manage and revise project plan as needed

  • Have regular meetings with management and project resources to review project status and progress.

  • Keep management informed of progress and any road blocks. Do not wait until the last minute to tell management about problems or issues.

Review finished project and sign off

  • Team members , Project Manager and management need to sign off



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Comparing, Designing, and Deploying VPNs
Java All-In-One Desk Reference For Dummies
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy