HIPAA Compliance In 30 Days or Less
With the deadline looming, our security manager gives an assist to the fellow in charge of meeting the mandates of the security rule.
Computerworld - HIPAA. We are all sick of the acronym by now, and the April 20 compliance deadline for the Health Insurance Portability and Accountability Act is looming.
At the state agency where I work, the information security officer (ISO), who is responsible for HIPAA security rule compliance, has spent the past seven months or so writing policies and procedures. He divided them into two groups: "required" (stuff we have to do) and "addressable" (stuff we'd better be thinking about doing).
When I came aboard, only one of the policies had been approved by the agency chiefs. Everything is done by consensus here -- if one chief doesn't like a single sentence, the policy is rejected, edited and then resubmitted. I was starting to panic about the approaching deadline. If we can't get the policies approved, we certainly can't implement them.
I did what any respectable security professional would do under the circumstances. First, I asked each chief to support the policy-approval process. Next, wanting to find a template that would be widely accepted but not wanting to reinvent the wheel, I went to the Web site of the National Institute of Standards and Technology (NIST) and downloaded every available document related to security and compliance with the HIPAA security rule.
Special Publication 800-66, titled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule," was just what our ISO needed: a step-by-step guide to compliance. A table on page 13 of this handy document defines each standard of the rule, identifies its section number and outlines implementation specifications, noting which ones are required and which are addressable. Even better, pages 16 through 54 describe various "key activities" and provide sample questions. This was the perfect project outline to give to a HIPAA newbie.
I went one step further and took the NIST outline and plunked it into Microsoft Project, defined major milestones, allocated resources and hung the Gantt chart on my wall. I also printed all of the related NIST documents and put them in a big binder.
I wanted to show my ISO how to formulate a project plan. I wanted him to understand what he was going to be held accountable for and how short the time frame for implementation was.
When I showed the plan to my boss, I felt the need to apologize for my micromanagement. "I don't usually go to this length with a direct report, but I need to get through to this guy that this is the quality of work we expect from him. He
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts