HIPAA and Security Compliance

Risk Analysis

An effective risk management process is an important component of a successful IT security program. The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.

The SP 800-30 document was created by the National Institute of Standards and Technology and is public domain (not subject to copyright).

NIST 800-30 document – Risk Management Guide for Information Technology Systems

Security Rule Draft Guidance

The Office for Civil Rights (OCR) is responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.) This series of guidance documents will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. The materials will be updated annually, as appropriate.

HHS has issued this guidance document entitled: “HIPAA Security Standards: Guidance on Risk Analysis.”

Rules

HIPAA Basics

The Administrative Simplification standards were adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Other Resources