Educause Security Discussion mailing list archives
Re: HIPAA Compliance
From: Alex Lindstrom <aglind () UDEL EDU>
Date: Thu, 15 Aug 2019 11:52:10 -0400
Michael, I'm currently engaged with three campus clinics to draft a unified HIPAA security plan to be adopted upon implementation of a shared EHR platform. The plan and accompanying HIPAA compliance program are keyed directly to the security standards and implementation specifications listed in the HIPAA Security Rule. (It may be less nerve-wracking if you approach the Security Rule as just a vaguer peer of your IS framework of choice—NIST 800-53, CSF, ISO, etc. It's somewhat ambiguous in certain parts, but the key security principles remain the same.) The plan describes standardized procedures across the three clinics (to the extent that things can be standardized) and points to external documentation that supports each clinic individually (e.g., clinic-specific Facility Security Plans). Some of that documentation will need to be developed or updated as part of the final package of deliverables, but sharing templates and existing documents makes that process easier. If you're currently looking to add a new health care component, sit down with the (intended) HCC leadership and key support personnel (e.g., local IT) and build security into their operations before their first day. This approach is much easier than trying to dig into existing administrative, physical, and technical practices and unpack where the HCC is or isn't compliant, especially when operational inertia creates resistance to change. For the more complex ideas (risk assessment, prioritizing operations based on criticality, etc.), ease them into the process by beginning with a high-level walkthrough of business/clinic operations rather than beginning with risk itself (which we've found can often be prohibitively abstract to operational personnel). It's also critically important to identify ownership and boundaries of responsibility. Ensure that clinic leadership is accountable for local compliance. Identify which security controls are managed by central IT or other units and which are the responsibility of the clinic. I'm by no means a HIPAA expert; these are just things we've found useful throughout the process. Best, ----- Alex Lindstrom IT Security Analyst II UD IT Security (302) 831-4823 https://www.udel.edu/security/ <https://www1.udel.edu/security/> https://sites.udel.edu/threat/ On Thu, Aug 15, 2019 at 10:59 AM Menne, Michael S <michael.menne () mnsu edu> wrote:
What types of things are institutions doing for HIPAA compliance for covered functions at small-medium sized non-medical / research institutions? We have two covered functions presently and are looking to add a third. HIPAA compliance makes me personally very nervous as I don’t understand it very well. We have a designated HIPAA Privacy Officer who is equally as nervous about it. *Michael Menne, CISSP* *Chief Information Security Officer* *IT Solutions Information Security* *Minnesota State University, Mankato* *Phone: (507) 389-5705* *www.mnsu.edu/its/security* <https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7Cc3f4cd9ab99f4649715b08d711fdf18b%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C636997654686922241&sdata=NzHU9kDya1V9tYgnABc4v7zjESJZYry6TOWstB%2FZSZs%3D&reserved=0> [image: signature_2008603909] *Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.* ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- HIPAA Compliance Menne, Michael S (Aug 15)
- Re: HIPAA Compliance Alex Lindstrom (Aug 15)
- Re: HIPAA Compliance Von Welch (Work) (Aug 15)
- Re: HIPAA Compliance Jenny Blaine (Aug 15)