HIPAA Security Implementation, Version 1.0

8.2 POSSIBLE PHASES OF THE HIPAA SECURITY RULE COMPLIANCE PROJECT

• Project planning

• System discovery and identification

• Baseline existing systems with regard to the HIPAA security rule

• Gap analysis, risk analysis, risk management and residual risk acceptance

• Remediation projects-closing the gaps

• Review and follow-up

8.2.1 Phase I-Project Planning-Putting together a successful HIPAA security rule project plan or roadmap

• Need to have a mandate or project charter

  • Before you begin, your need a mandate or project charter from management

  • You need to authority or mandate to put together a HIPAA security rule project plan

• HIPAA Security rule awareness training (for those directly involved with the HIPAA security project)

  • Checkout online resources like the CMS web site and related sites

  • Read books like SANS HIPAA SBS

  • Consult you companies legal and\or compliance department

  • Attend courses and seminars

• Things you need to consider before you begin

  • Are you a covered entity? If so what kind of covered entity?

  • Security officer assignment, if possible (must have authority)

  • Need a mandate or project charter from management

• Identify the HIPAA Security officer

  • Does not have to be the one implementing the plan

  • Does have to have the authority

  • Does not have to be in IT. Many think that since HIPAA security is more technical, IT should be the ones in charge. This is not necessarily true.

• Define project scope and goals

  • Scope: what the project will and will not cover

  • The foundation of any successful project lies in having a clear understanding of the overall goals and objectives of the project.

  • Goals and objectives are 'what do we need to do?'

  • Without goals and objectives, how will you know you are finished or where you are in the project?

  • Decide on and document target HIPAA goals or performance objectives

  • Determine how you are going to measure project ˜success' or ˜failure'

• Identify key players, potential road blocks and resources (friend and enemies of the project)

• Clearly defined roles and responsibilities

• Determine and document deliverables and milestones

• Identify resources that can be used to address or work the plan

• Need to have upper-management sign off on the plan

• Identify who or what group will QA or review the plan

• Determine risks to the project itself, what could go wrong with the plan?

• Develop your project plan and the work breakdown structure (WBS)

  • Can use the HIPAA Security rule itself as a basis for the plan

• If the HIPAA Security rule implementation specification is addressable, do you want to implement as-is or modify? To what extent?

8.2.2 Phase 2-System Discovery and Identification

• Identify ePHI systems affected by the HIPAA Security Rule

  • System name and version (is it ˜HIPAA Security ready' according to the vender?)

  • System owner and contact, vender contact information

  • What kind of ePHI does the system have

  • Identify the flow of the ePHI. Where does the ePHI come from and where does it go.

  • General system information (See discovery questionnaire example).

  • Systems can include not only Applications and databases but also networks, groups of laptop users, lab systems, server room, building security, etc..

• ID resources you many be able to use

• HIPAA Security rule awareness training (staff and management)

• Identify person responsible for completing the standard or specification and documenting it for each ePHI system.

• Determine a completion date for System Discovery and Identification

• Identify current policies and procedures for each system, if exists. This can be part of the baseline for comparisons to the HIPAA Security standards

• Expect to find more systems affected by the HIPAA Security rule as you continue with the project but beware of scope creep.

8.2.3 Phase 3-Baseline existing systems with regard to the HIPAA security rule

• Baseline using existing policies, standards, procedures and other pertinent information

• Identify person responsible for completing the baseline and documenting it for each system.

• Perform an inventory of the current security environment with respect to policies, procedures, processes and technology.

• Develop a plan for baseline each system with respect to the HIPAA Security rule standards

• Don't just inventory policies and procedures but investigate how the systems really used and where the ePHI goes.

• Determine a target baseline completion date

• Document the result, decide who needs to sign off on it

• The Baseline is milestone and can be a deliverable in terms of the project plan

8.2.4 Phase 4-GAP analysis, risk analysis, risk management and residual risk acceptance

Gap Analysis

• Identify the gap, (the difference between the baseline and company goal)

• Identify any future company plans or projects that will affect the gap and will go into effect before the HIPAA Security rule compliance does.

• Existing controls? (can include company HIPAA Privacy policy)

• What is the difference between the baseline and the HIPAA Security implementation Specification for each system?

• Risk Analysis

• 'Risk analysis considers the various threats to security and then suggests the remedies that are the most cost-effective '

• Identify and document who should be involved in risk analysts section

• Consider scope (just ePHI systems or all systems?)

• Determine the likely sources of risk to the system (for example: insiders vs. outsiders, public, users, others, groups, companies\organization, trading partners , business associates , etc )

• Determine the likely threat vectors: (for example: physical access, internet, intranet, dial-up, etc..)

• Determine the level of resources required to mitigate each threat source

• Try and quantify each risk, use a standard scale or annual dollar amount loss

• Consider new products (hardware, software, services, procedures, policies) to reduce risk

• Document decisions and results

Risk Management

• Determine level of acceptable risk

• Have management agree to this level of risk in writing and with full knowledge of the risk

8.2.5 Phase 5-Closing the gaps, remediation projects

• Identify and verify HIPAA Security items completed

• Identify HIPAA Security items not completed

• Identify systems for testing

• Add to Task\Action item list or matrix

Action item \ Task List Matrix

• See below

Project planning and scheduling

• Include deliverables and milestones

• Include WBS

• Identify critical paths

• Update MS Project plan

  • Cost, resources, time, etc

  • P&P

  • System upgrades or new systems installs

  • New system and P&P training

8.2.6 Phase 6-Review and follow-up

Manage and revise project plan as needed

• Have regular meetings with management and project resources to review project status and progress.

• Keep management informed of progress and any road blocks. Do not wait until the last minute to tell management about problems or issues.

Review finished project and sign off

• Team members , Project Manager and management need to sign off