Navigation |
HIPAA Compliance Reporter for Covered Entities - Liability Reduction by Automated, Cost Effective Support of Business AssociatesOn February 17, 2009 President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA). This bill authorizes over $700 billion in new spending, increases penalties for release of protected health information, greatly expands the legal right to sue under HIPAA and makes business associates of covered entities directly responsible for full compliance with the HIPAA security rule. Quoting from section 13401 of the ARRA, "(a) Application of Security Provisions- Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity." The ARRA provides hospitals and other covered entities with both a threat and an opportunity. The expanded right to sue and the increased penalties for information release expand the risks to covered entities. At the same time, by providing business associates with services to help secure their information systems to HIPAA requirements, covered entities can reduce a major threat to their own patient information and defray the costs of upgrading information security in their own networks. |
Automating Information Security - NIST 800-66 and the DHS SCAP ProgramWithin the last 12 months powerful new tools have been developed for information security under the DHS Security Content Automation Protocol (SCAP) program. SCAP validated network scanners are available from a dozen vendors, with more programs in the process of validation. Most of these are sized to deal with larger networks from 150 to 15000 workstations. However the Secutor program from ThreatGuard has a version small enough to fit on a thumb drive and be used a scan a single workstation at a time. For small offices and business associates this simple and inexpensive program is ideal. Directions for HIPAA security rule compliance are contained in the the National Institute of Standards and Technology (NIST) "Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1)." Other guidance can be found on the CMS webpage, but the 800-66 protocol is readily implemented and allows significant automation of the risk management process. Following the signing of the ARRA, ThreatGuard and ACR teamed up to produce the HIPAA Compliance Reporter. This inexpensive program ($150 for single site, single use) combines the Secutor thumb drive scanner with an online version of the NIST 800-66 protocol. A full program can be setup in a few hours, although reaching acceptable levels of compliance can be expected to take months or years, based on ACR experience in securing banks to similar levels of information security. |
Implementation and EconomicsTo bring a covered entity and its business associates into compliance with the HIPAA security rule is a four step process.
|
Cost Effective HIPAA Security Rule ComplianceThe combination of SCAP scanning, developed under the sponsorship of the US Department of Homeland Security, and automation of the NIST 800-66 compliance process allows covered entities and their business associates to secure private health information to the levels envisioned by the creators of HIPAA. At a time when cybercrime exceeds illegal drugs as a criminal enterprise, effective information security is now a mission critical item. For more information, please contact Info@acr2solutions.com or call (678) 261-8181. |