Updated Regulations Require Reassessment
According to Gartner: In a 2012 series of spot check audits for health care organizations, most failed, not because of a lack of controls, but for the lack of a recent risk assessment to support their control implementation decisions. Recent updates in regulations, increased exposure through business associates, mandated reportable breach thresholds, and potential for increased penalties will motivate companies to reassess their security measures.
Companies are asking:
- Have PHI assessments as required by HIPAA been completed?
- Are security policies and procedures relevant to the compliance requirements of HIPAA/HITECH?
- Are data breach policies and breach response plans adequate to detect and report on the requirement to report on a compromise of 500 or greater records?
- Under the updated definition, are all business associates under agreement and meeting HIPPA requirements?
OpenSky HIPAA/HITECH Assessment Approach
OpenSky’s approach is based upon our risk assessment methodology developed from assisting similar organizations, common industry practices, and leading industry standards (e.g. NIST SP 800-66, DHHS HIPAA Security and Privacy Rule Audit Requirements and ISO 27002) for IT risk assessments. The project team will customize control objectives according to the specific business and regulatory environment of the organization. For the HIPAA Security and Privacy Rules, there are 197 control objectives to be reviewed.
OpenSky recommends review of the following:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational – Governance of IT Risk Management
- Policies and Procedures and Documentation Requirements
- Privacy of PHI and EPHI
- Incident Response, Containment, Recovery, Logging and Monitoring programs