How will we know if our organization and our systems are compliant with the HIPAA Security Rule's requirements?

Answer:

The purpose of the final rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected Health information (EPHI) that is collected, maintained, used or transmitted by a covered entity. Compliance is different for each organization and no single strategy will serve all covered entities.

Covered entities should look to § 164.306 of the Security Rule for guidance to support decisions on how to comply with the standards and implementation specifications contained in §§ 164.308, 164.310, 164.312, 164.314, and 164.316. In general, this includes performing a risk analysis; implementing reasonable and appropriate security measures; and documenting and maintaining policies, procedures and other required documentation.

Compliance is not a one-time goal, it must be maintained. Compliance with the evaluation standard at § 164.308(a)(8) will allow covered entities to maintain compliance. By performing a periodic technical and nontechnical evaluation of the information security environment, a covered entity will be able to better ensure the security of EPHI.


Home | About Us | Contact Us | Sitemap | Resources | Covered Entity | Business Associate
Individuals | Product Certification | HIPAA Compliance FAQ | HIPAA Compliance Software | HIPAA Security Policies | HIPAA Privacy Policies
HIPAA Business Continuity Plan | HIPAA Security Risk Analysis Template | HIPAA Audit Templates
Copyright © 2007-09 Supremus Group LLC Developed and Designed by Des Moines Web Design Company
This site is best viewed using Internet Explorer 5.0/higher or Netscape Navigator 7.0/higher at 1024x768 resolution for optimum performance