Areas to be addressed for HIPAA Compliance
...rting · Confidentiality · Remediation Develop Disaster Recovery Plan A defined set of what risks are acceptable and how unacceptable risks are alleviated and resolved should be completed. This will include the following steps: · Pre-Planning Activities (Project Initiation) o Establish Steering Committee o Development a policy to support the recovery programs · Vulnerability Assessment Requirements o Define the scope of the planning effort. o Analyze, recommend and purchase recovery planning and maintenance software required to support the development of the plans and to maintain the plans current following implementation. o Develop a Plan Framework. · Business Impact Assessment (BIA) o Identify critical systems, processes and functions o Assess the economic impact of incidents and disasters that result in a denial of access to systems services and other services and facilities o Assess the "pain threshold," that is, the length of time business units can survive without access to systems, services and facilities. · Detailed Definition of Requirements o A profile of recovery requirements will be developed. This profile is will be used as a basis for analyzing alternative recovery strategies. · Plan Development o Recovery plans components will be defined and plans are documented o Recovery standards will also be developed in this phase Create and Define Metrics Criteria will be developed to evaluate the success and performance of the security measures and processes. The following areas will be covered in developing this set of standards: · Awareness and Communications · Administration and technical support (operational view) · Architecture and standards (operational view) · Policies, practices and procedures (operational view) · Organization and planning (innovation and learning view) · Financials and metrics (financial view) · Audit (financial view) HIPAA Compliance Audit (Not required but recommended) Prior to the 4/21/05 HIPAA deadline a set of six detailed scenarios will be documented for an internal HIPAA Audit check. Each independent scenario will be handled on a case-by-case basis and could potentially involve employees throughout the Health Care Institute organization. These scenarios will cover the following areas. · Physical Security · Medical Records · Network Access · Information Logging Develop Security Officer Position The Health Care Institute needs to select, train and work on the preparation of a Security Officer or look to outsource this position. While the Security Officer is being selected and trained 3SG will to fill the role of Security Officer for Health Care Institute. This includes: · Provides development guidance and assists in the identification, implementation, and maintenance of organization information privacy policies and procedures in coordination with organization management and administration, and legal counsel. · Performs initial and periodic information risk assessments and conducts related ongoing compliance monitoring activities in coordination with the entity’s other compliance and operational assessment functions. · Identify protection goals and objectives consistent with corporate strategic plan. · Manage the development and implementation of global security policy, standards, guidelines and procedures to ensure ongoing maintenance of security. · Maint...