By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: How to Manage HIPAA Security
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Uncategorized > How to Manage HIPAA Security
Uncategorized

How to Manage HIPAA Security

ShahidShah
ShahidShah
Share
6 Min Read
SHARE

 

I get lots of questions about HIPAA security these days; especially as EHR firms, hospitals, payers, and startups alike are being asked about their HIPAA policies.

 

I get lots of questions about HIPAA security these days; especially as EHR firms, hospitals, payers, and startups alike are being asked about their HIPAA policies.

More Read

Shahid Shah Speaking at NIH Clinical Center on Why Meaningful Use (MU) and EHRs are Insufficient for Evidence Based Medicine (EBM) and Comparative Effectiveness Research (CER)
HIPAA Hosting Q&A with a Certified HIPAA Practitioner & Security Specialist
How Can Computer Viruses Affect Your Medical Practice?
Why Medical Device Data is the Best Way to Fill Meaningful Use EHRs and Conduct Comparative Effectiveness Research (CER)
How Hospitals Can Protect Patients From Identity Theft

My general recommendation is that you should forget about HIPAA at first (because it’s a toothless, generally unenforceable, regulation that will never improve security because it is a bureaucratic compliance tool). Instead, you should concentrate on good security practices, good security policies, follow recommended NIST guidance, and then come back and tie in the HIPAA regulations to make sure you don’t miss anything from the privacy side.

Also, don’t worry about finding “HIPAA auditors” initially — instead, focus on finding white hat hackers that can help you with penetration testing and hack attempts to truly focus on your threats and not on perceived HIPAA threats. Once you get beyond HIPAA as a security goal you’ll end up with much better security and then you can tie HIPAA into your privacy policies to make sure you’re not missing any major regulations.

Here’s how to proceed:

  1. Get a security policy in place — start with http://www.informationshield.com/ or http://www.instantsecuritypolicy.com. Both of these sites help you think about all the really difficult questions and options you have and help you construct a single document that would come out better than you can do on your own (initially). You can generate a pretty decent document within about 30 to 40 hours of work.
  2. As you’re getting your security documentation in place, take a look at the NIST 800-53 Information Security Policies for Federal Agencies guidance document. Why a federal agency guidance document? Because it’s thorough; most of it will be applicable to healthcare and is worth reviewing to make sure you don’t miss anything when you’re laying out your security policies and controls. Another reason to know about it is that there are lots of consultants out there that know NIST 800-53 and can help you out. Set aside about 8 to 12 hours to really get a good overview of this guidance document.
  3. Just to complete your understanding of the NIST security guidance, check out the other NIST special publications.
  4. Armed with a starter document from step #1 and a basic understanding of the NIST guidance, contact guys who are not HIPAA guys but are security policy experts (contact me privately and I can put you in touch with some) that can review your document. In less than 8 hours of work you can have the document improved in ways that you never imagined (assuming you’re talking to a security expert, not a compliance person).
  5. With a proper policy document now in place, get in touch with a security company that can help you with penetration testing and evaluating your policies in excruciating detail. HIPAA auditors are not what I mean here; I mean guys that can try to break into your system and tell you whether the policies will work and what holes you need to fill in — the “white hat” crowd. This might take as little as 20 to 30 hours or hundreds of hours, depending on the state of your security policies and actual security tools in place.
  6. Go back to the tools in step #1 and plug in all your real security holes with either policies or security tools recommended by the testing firm(s) and consultant(s) and iterate over your document.
  7. With a near-final security document in place, schedule a quarterly test and evaluation and a change control process for how you will keep your documents, real security tools, and policies in good shape. You will need to review your own logs daily, weekly, and monthly and have the experts come in no later than quarterly (monthly is even better). To see one approach to how the feds recommend doing this (again, it’s completely applicable to healthcare) check out the FedRAMP program.
  8. With your documentation now ready and a good change control process in place, now you’re (finally!) ready for the HIPAA auditors; they can now concentrate on the compliance activities and you won’t be fooled into thinking that HIPAA compliance means you’re more secure.

If you’ve got other thoughts that can help the health IT community, drop us some comments here.

TAGGED:HIPAA security
Share This Article
Facebook Copy Link Print
Share

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Epidemiological Health Benefits
Personal and Epidemiological Health Benefits of Blood Pressure Management
Health
October 13, 2025
Traumatic Brain Injuries
Understanding Traumatic Brain Injuries: What Families Need to Know
Policy & Law
October 10, 2025
Remote Monitoring touchpoints
Remote Monitoring Touchpoints Patients Will Actually Follow
Technology
October 9, 2025
dental care
Importance of Good Dental Care for Health and Confidence
Dental health Specialties
October 2, 2025

You Might also Like

Health IT Confusion and Clarification

September 16, 2011
senior healthcare benefits
Uncategorized

Diagnosing Patient Dissatisfaction: 5 Top Causes

September 10, 2021

How Does Email Help You As A Doctor?

September 23, 2011
Uncategorized

The Importance of Patient Engagement in a Successful HIE

May 1, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?