By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: How to Manage HIPAA Security
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Uncategorized > How to Manage HIPAA Security
Uncategorized

How to Manage HIPAA Security

ShahidShah
ShahidShah
Share
6 Min Read
SHARE

 

I get lots of questions about HIPAA security these days; especially as EHR firms, hospitals, payers, and startups alike are being asked about their HIPAA policies.

 

I get lots of questions about HIPAA security these days; especially as EHR firms, hospitals, payers, and startups alike are being asked about their HIPAA policies.

More Read

Oracle Clouds and Oracle Social Network
5 ICD-10 Steps that Deliver Collateral Benefit for ICD-9
Cloud Computing for Healthcare; Compliance, Disaster Recovery & Business Sustainability
Algorithms in Medicine
IBM File System Scans 10 Billion Files in 43 minutes

My general recommendation is that you should forget about HIPAA at first (because it’s a toothless, generally unenforceable, regulation that will never improve security because it is a bureaucratic compliance tool). Instead, you should concentrate on good security practices, good security policies, follow recommended NIST guidance, and then come back and tie in the HIPAA regulations to make sure you don’t miss anything from the privacy side.

Also, don’t worry about finding “HIPAA auditors” initially — instead, focus on finding white hat hackers that can help you with penetration testing and hack attempts to truly focus on your threats and not on perceived HIPAA threats. Once you get beyond HIPAA as a security goal you’ll end up with much better security and then you can tie HIPAA into your privacy policies to make sure you’re not missing any major regulations.

Here’s how to proceed:

  1. Get a security policy in place — start with http://www.informationshield.com/ or http://www.instantsecuritypolicy.com. Both of these sites help you think about all the really difficult questions and options you have and help you construct a single document that would come out better than you can do on your own (initially). You can generate a pretty decent document within about 30 to 40 hours of work.
  2. As you’re getting your security documentation in place, take a look at the NIST 800-53 Information Security Policies for Federal Agencies guidance document. Why a federal agency guidance document? Because it’s thorough; most of it will be applicable to healthcare and is worth reviewing to make sure you don’t miss anything when you’re laying out your security policies and controls. Another reason to know about it is that there are lots of consultants out there that know NIST 800-53 and can help you out. Set aside about 8 to 12 hours to really get a good overview of this guidance document.
  3. Just to complete your understanding of the NIST security guidance, check out the other NIST special publications.
  4. Armed with a starter document from step #1 and a basic understanding of the NIST guidance, contact guys who are not HIPAA guys but are security policy experts (contact me privately and I can put you in touch with some) that can review your document. In less than 8 hours of work you can have the document improved in ways that you never imagined (assuming you’re talking to a security expert, not a compliance person).
  5. With a proper policy document now in place, get in touch with a security company that can help you with penetration testing and evaluating your policies in excruciating detail. HIPAA auditors are not what I mean here; I mean guys that can try to break into your system and tell you whether the policies will work and what holes you need to fill in — the “white hat” crowd. This might take as little as 20 to 30 hours or hundreds of hours, depending on the state of your security policies and actual security tools in place.
  6. Go back to the tools in step #1 and plug in all your real security holes with either policies or security tools recommended by the testing firm(s) and consultant(s) and iterate over your document.
  7. With a near-final security document in place, schedule a quarterly test and evaluation and a change control process for how you will keep your documents, real security tools, and policies in good shape. You will need to review your own logs daily, weekly, and monthly and have the experts come in no later than quarterly (monthly is even better). To see one approach to how the feds recommend doing this (again, it’s completely applicable to healthcare) check out the FedRAMP program.
  8. With your documentation now ready and a good change control process in place, now you’re (finally!) ready for the HIPAA auditors; they can now concentrate on the compliance activities and you won’t be fooled into thinking that HIPAA compliance means you’re more secure.

If you’ve got other thoughts that can help the health IT community, drop us some comments here.

TAGGED:HIPAA security
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

dental care
Importance of Good Dental Care for Health and Confidence
Dental health Specialties
October 2, 2025
AI in Healthcare
AI in Healthcare: Technology is Transforming the Global Landscape
Global Healthcare Policy & Law Technology
October 1, 2025
Choosing the Right Swimwear for Health and Safety
News
September 30, 2025
sports concussions
Concussion In Sports: How Common They Are And What You Need To Know
Infographics
September 28, 2025

You Might also Like

Uncategorized

12 Women in Health IT You Should Know

March 21, 2012
soy supplements from Herbalife get great reviews
Uncategorized

The Benefits and Drawbacks of Popular Natural Health Supplements

October 28, 2021
Uncategorized

What Are the Most Common Nutrient Deficiencies?

March 30, 2022

Lost Military Backup Tapes Results in HIPAA Violation Affecting 4.9 Million

September 30, 2011
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?