Re: HIPAA Compliance

[Alex Lindstrom <aglind () UDEL EDU>]

Michael,

I'm currently engaged with three campus clinics to draft a unified HIPAA
security plan to be adopted upon implementation of a shared EHR platform.
The plan and accompanying HIPAA compliance program are keyed directly to
the security standards and implementation specifications listed in the
HIPAA Security Rule. (It may be less nerve-wracking if you approach the
Security Rule as just a vaguer peer of your IS framework of choice—NIST
800-53, CSF, ISO, etc. It's somewhat ambiguous in certain parts, but the
key security principles remain the same.)

The plan describes standardized procedures across the three clinics (to the
extent that things can be standardized) and points to external
documentation that supports each clinic individually (e.g., clinic-specific
Facility Security Plans). Some of that documentation will need to be
developed or updated as part of the final package of deliverables, but
sharing templates and existing documents makes that process easier.

If you're currently looking to add a new health care component, sit down
with the (intended) HCC leadership and key support personnel (e.g., local
IT) and build security into their operations before their first day. This
approach is much easier than trying to dig into existing administrative,
physical, and technical practices and unpack where the HCC is or isn't
compliant, especially when operational inertia creates resistance to change.

For the more complex ideas (risk assessment, prioritizing operations based
on criticality, etc.), ease them into the process by beginning with a
high-level walkthrough of business/clinic operations rather than beginning
with risk itself (which we've found can often be prohibitively abstract to
operational personnel).

It's also critically important to identify ownership and boundaries of
responsibility. Ensure that clinic leadership is accountable for local
compliance. Identify which security controls are managed by central IT or
other units and which are the responsibility of the clinic.

I'm by no means a HIPAA expert; these are just things we've found useful
throughout the process.

Best,
-----

Alex Lindstrom

IT Security Analyst II
UD IT Security

(302) 831-4823
https://www.udel.edu/security/ <https://www1.udel.edu/security/>
https://sites.udel.edu/threat/


On Thu, Aug 15, 2019 at 10:59 AM Menne, Michael S <michael.menne () mnsu edu>
wrote:

> What types of things are institutions doing for HIPAA compliance for
> covered functions at small-medium sized non-medical / research institutions?
>
>
>
> We have two covered functions presently and are looking to add a third.
> HIPAA compliance makes me personally very nervous as I don’t understand it
> very well.  We have a designated HIPAA Privacy Officer who is equally as
> nervous about it.
>
>
>
> *Michael Menne, CISSP*
>
> *Chief Information Security Officer*
>
> *IT Solutions Information Security*
>
> *Minnesota State University, Mankato*
>
> *Phone:  (507) 389-5705*
>
> *www.mnsu.edu/its/security*
> <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7Cc3f4cd9ab99f4649715b08d711fdf18b%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C636997654686922241&sdata=NzHU9kDya1V9tYgnABc4v7zjESJZYry6TOWstB%2FZSZs%3D&reserved=0>
>
>
>
> [image: signature_2008603909]
>
>
>
> *Confidentiality Notice: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.*
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community