Privacy Officer's Roundtable

search criteria = ALL
Privacy Officer's Roundtable sorted by thread
 
  FREE HIPAA Risk Analysis ToolJun 11, 2012 1:35 PMDavid Nelson
  RE:FREE HIPAA Risk Analysis ToolJun 11, 2012 1:48 PMFrank Ruelas
  RE:FREE HIPAA Risk Analysis ToolJun 11, 2012 2:14 PMDavid Nelson
  RE:FREE HIPAA Risk Analysis ToolJun 11, 2012 2:58 PMFrank Ruelas
  RE:FREE HIPAA Risk Analysis ToolJun 12, 2012 2:23 PMChris Apgar
  RE:FREE HIPAA Risk Analysis ToolJun 12, 2012 2:50 PMDavid Nelson
  RE:FREE HIPAA Risk Analysis ToolJun 12, 2012 3:22 PMHernan Serrano
  RE:FREE HIPAA Risk Analysis ToolJun 13, 2012 12:37 PMFrank Ruelas
  RE:FREE HIPAA Risk Analysis ToolJun 13, 2012 12:49 PMDavid Nelson
  RE:FREE HIPAA Risk Analysis ToolJun 14, 2012 6:26 PMChris Apgar
 

1.
FREE HIPAA Risk Analysis Tool
From: David Nelson
To: Privacy Officer's Roundtable
Posted: Jun 11, 2012 1:35 PM
Subject: FREE HIPAA Risk Analysis Tool
Message:

California Releases the First-of-Its-Kind

 Public HIPAA Security Rule Toolkit

Providing California an online resource to conduct a basic risk assessment

 SACRAMENTO - The California Health and Human Services Agency's (CHHS), Office of Health Information Integrity (CalOHII) today announced the release of its Health Insurance Portability and Accountability Act (HIPAA) Security Rule Toolkit. The online toolkit will provide aid to organizations in California to help them better understand the requirements of the HIPAA Security Rule and assist organizations in implementing HIPAA requirements. The online toolkit can be accessed on the CalOHII website: http://ohii.ca.gov/calohi/.

  HIPAA established national standards for the protection of certain health information that is held or transferred in electronic form.  These national standards operationalize protections by addressing the technical and non-technical safeguards that organizations must implement to secure electronic protected health information.

 "This new tool will allow organizations to assess their level of compliance with Federal HIPAA requirements as well as areas where they have opportunities to strengthen their programs," said Pamela Lane, Deputy Secretary, Health Information Exchange. "This represents the first offering of its kind in California and will serve as a tool in assisting our provider communities in the complex security arena."

 The CalOHII works in support of the CHHS's health information exchange (HIE) initiatives, oversees the collaborative statewide development and implementation of privacy and security policy for the electronic exchange of health information, enforces state law mandating the confidentiality of medical information, and ensures uniform and cost effective HIPAA implementation.  
-------------------------------------------
DavidNelsonCIPP/G, CHRC
Privacy Officer
County of San Diego
San DiegoCA
-------------------------------------------

Be the first person to recommend this.


2.
RE:FREE HIPAA Risk Analysis Tool
From: Frank Ruelas
To: Privacy Officer's Roundtable
Posted: Jun 11, 2012 1:48 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
HIPAA COW has had a toolkit available for over a year.  Good to know that the number of free toolkits for this are growing.  Thanks for sharing.

-------------------------------------------
FrankRuelas
Principal
HIPAA College
Casa GrandeAZ
-------------------------------------------






Show Original Message
Be the first person to recommend this.


3.
RE:FREE HIPAA Risk Analysis Tool
From: David Nelson
To: Privacy Officer's Roundtable
Posted: Jun 11, 2012 2:14 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
Thanks Frank.  This toolkit is the next generation and is very sophisticated. The tool is divided up by the safeguards sections (admin, physical, technical and business continuity), captures your answers, leads you through the process, tells you have far along you are, can be updated/revised/corrceted, you can go from section to section while getting answers without loosing your input, and you can create/run multiple sessions (businesss unit by business unti anyone?).  I haven't seen anything like this in the market.  For the small providers who do not have the resources to do the RA, or the time to do it all at once, it will be a boon.

One note is that the state doesn't collect your information (input or results), doesn't have your password, and only gets a hit count from the site.

-------------------------------------------
DavidNelsonCIPP/G, CHRC
Privacy Officer
County of San Diego
San DiegoCA
-------------------------------------------






Show Original Message
Be the first person to recommend this.


4.
RE:FREE HIPAA Risk Analysis Tool
From: Frank Ruelas
To: Privacy Officer's Roundtable
Posted: Jun 11, 2012 2:58 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
...and then to top it off that it is web based! I have a few physician sites that are looking to do a risk assessment and I'm going to ask them to consider using this tool this week.  I was going to engage in a risk assessment assignment with them but as many folks have learned from me, I am a huge "do it yourselfer" and so they will give it a try.  I will share some feedback with the group once they are done.

The good thing is that this is a new physician practice so they are literally starting from scratch and this also helps make it a bit easier in some aspects.

I ran through much of the tool earlier and I agree that for the medium to small sized provider sector, this will be a welcomed tool.  I can even see some larger sized providers benefiting from this tool as well.

Leave it to California to break new ground with the intro of this tool....again!

-------------------------------------------
FrankRuelas
Principal
HIPAA College
Casa GrandeAZ
-------------------------------------------






Show Original Message
Be the first person to recommend this.


5.
RE:FREE HIPAA Risk Analysis Tool
From: Chris Apgar
To: Privacy Officer's Roundtable
Posted: Jun 12, 2012 2:23 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
A big thanks to CalOHI.  Regarding the risk analysis, it is unfortunately incomplete.  Just assessing where PHI is located does not meet the security rule's risk analysis requirement.  Covered entities and business associates need to look at the whole organization and all threats such as threats to facilities, vulnerabilities in the firewall or anti-malware, critical business/clinical processes, etc.  It is important to identify where ePHI is stored but that does not address risks related to the building burning down as an example.  Also, the privacy rule includes the "mini-security rule" and non-electronic PHI should be evaluated to determine the risk if it's lost, stolen or destroyed.

-------------------------------------------
ChrisApgar
CEO and President
Apgar and Associates, LLC
PortlandOR
-------------------------------------------






Show Original Message
Be the first person to recommend this.


6.
RE:FREE HIPAA Risk Analysis Tool
From: David Nelson
To: Privacy Officer's Roundtable
Posted: Jun 12, 2012 2:50 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
You have a valid point (one I frequently express) but I suggest you go deeper into the tool as part of your concerns are addressed.  When you get to the end, or if you jump there, the report page has links to questionairres to answer some of the very issues you bring up.  Such as Facility Security


"Questions to Consider:

 

  • If reasonable and appropriate, do nonpublic areas have locks and cameras?
  • Are workstations protected from public access or viewing?
  • Are entrances and exits that lead to locations with e-PHI secured?
  • Does the facility security plan outline who can access various facilities and equipment? "...

or Work Station Use

  • How are workstations used in day-to-day operations?
  • What are key operational risks that could result in a breach of security?
  • Where are workstations located?
  • Is viewing by unauthorized individuals restricted or limited at these workstations?

The trick here, and I think it is a valid derivitive of your concern, is that the tool is not intended to be done by IT alone.  Just as you point out in your questions the security rule is not just an IT issue and they may not be able to (nor should they) answer the very issues you bring up.

 
-------------------------------------------
DavidNelsonCIPP/G, CHRC
Privacy Officer
County of San Diego
San DiegoCA
-------------------------------------------






Show Original Message

California Releases the First-of-Its-Kind

 Public HIPAA Security Rule Toolkit

Providing California an online resource to conduct a basic risk assessment

 SACRAMENTO - The California Health and Human Services Agency's (CHHS), Office of Health Information Integrity (CalOHII) today announced the release of its Health Insurance Portability and Accountability Act (HIPAA) Security Rule Toolkit. The online toolkit will provide aid to organizations in California to help them better understand the requirements of the HIPAA Security Rule and assist organizations in implementing HIPAA requirements. The online toolkit can be accessed on the CalOHII website: http://ohii.ca.gov/calohi/.

  HIPAA established national standards for the protection of certain health information that is held or transferred in electronic form.  These national standards operationalize protections by addressing the technical and non-technical safeguards that organizations must implement to secure electronic protected health information.

 "This new tool will allow organizations to assess their level of compliance with Federal HIPAA requirements as well as areas where they have opportunities to strengthen their programs," said Pamela Lane, Deputy Secretary, Health Information Exchange. "This represents the first offering of its kind in California and will serve as a tool in assisting our provider communities in the complex security arena."

 The CalOHII works in support of the CHHS's health information exchange (HIE) initiatives, oversees the collaborative statewide development and implementation of privacy and security policy for the electronic exchange of health information, enforces state law mandating the confidentiality of medical information, and ensures uniform and cost effective HIPAA implementation.  
-------------------------------------------
DavidNelsonCIPP/G, CHRC
Privacy Officer
County of San Diego
San DiegoCA
-------------------------------------------


























Be the first person to recommend this.


7.
RE:FREE HIPAA Risk Analysis Tool
From: Hernan Serrano
To: Privacy Officer's Roundtable
Posted: Jun 12, 2012 3:22 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
Chris

I agree with you wholeheartedly.  The CalOHI looks more like a HIPAA Security Compliance Tool.  That is, it will assist the user determine if the unit is complying with the Adminisatrative, Physical, and Technnical Safeguards of the HIPAA Security Rule.  The tool is not a "risk assessment" tool since it does not help identify vulnerabilities, the threats against those vulnerabilities, and the risks of those threats being realized. Once the risks are identified, the unit either accepts the risks, or mitigate the risks. Your action should be based on the impact to your unit should the risk materialize.  At least that is how I understand it.  "Risk Assessment" is a separate standard under the Administrative Safeguards, which is part of your overall HIPAA Security Compliance program.  So, while the CalOHI is a great complaince tool, i'm with Chris in that it is not a "risk assessment" tool.   
-------------------------------------------
HernanSerrano CHP CHSS
Health Information Compliance Specialist
Force 3, Inc.
San AntonioTX
-------------------------------------------






Show Original Message
Be the first person to recommend this.


8.
RE:FREE HIPAA Risk Analysis Tool
From: Frank Ruelas
To: Privacy Officer's Roundtable
Posted: Jun 13, 2012 12:37 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
David,

I'm going to guess that based on some comments by folks both onlist and offlist, these folks have not gone through the tool from start to finish to include the questionnaire and then the associated risk analysis tool that also incorporates questionnaire responses.  It's also obvious that some folks also don't understand the purpose of the toolkit though the purpose is clearly stated in the user's manual.


The tool is not a risk analysis tool and risk management tool in terms of the implementation specifications for these two requirements, this is evident and also not the intent of its structure.

However, it provides in my opinion an exceptional assessment tool for a small to medium (even larger sized) covered entities to use to assess their overall level of alignment and compliance with the Security Rule while also helping to develop an familiarity and understanding of the Rule's requirements.

Yesterday I walked through the tool with the Privacy and Security Officers of a multi specialty clinic and they both agreed that the tool and the resultant reports provided an excellent inventory of their current state with respect to  HIPAA.

Other high points that folks have not mentioned:
- help documents that essentially can be used to create policies for each assessed section
- ability to add comments and link info to policies and procedures as needed
- ability to access the tool from any internet enabled computer (portability when doing multiple site assessments)
- simple to use

So now we are going to embark on a risk analysis and risk management assignment (often referred to as a risk assessment on list servs) and the information we obtained through the use of the tool will be very important in helping us get this done easily, quickly, and completely.  To make it even easier, we are going to use the HIPAA Cow toolkit which is a risk analysis and risk management toolkit.

I am thinking of making the use of this CA tool a preliminary step with future clients because of the value it adds in walking folks through a basic assessment of where a covered entity (or business associate) has gaps that need to be addressed which may exist based on current policies and procedures.

Take this California tool and combine it with the HIPAA Cow Risk Analyssis and Risk Management toolkit and you have a winning combination.

-------------------------------------------
Frank Ruelas
Principal
HIPAA College
Casa GrandeAZ
-------------------------------------------






Show Original Message
Be the first person to recommend this.


9.
RE:FREE HIPAA Risk Analysis Tool
From: David Nelson
To: Privacy Officer's Roundtable
Posted: Jun 13, 2012 12:49 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:
Thanks Frank.  Strangely I agree with you but I also agree with the other commentors. 

No this tool is not all things to all providers and it does not do the assessment without significant input (Chris's concern); it will not do the quantification of the risk without consultation; and it does not do the risk mitigation selection.  I just think as you have pointed out, it will be very useful for many small entities.  When the OCR comes knocking they will have a reason and documentation for their decsion which, as we know, many small provider do not have.  Just one more free tool. 

Dave

-------------------------------------------
DavidNelsonCIPP/G, CHRC
Privacy Officer
County of San Diego
San DiegoCA
-------------------------------------------






Show Original Message
Be the first person to recommend this.


10.
RE:FREE HIPAA Risk Analysis Tool
From: Chris Apgar
To: Privacy Officer's Roundtable
Posted: Jun 14, 2012 6:26 PM
Subject: RE:FREE HIPAA Risk Analysis Tool
Message:

Frank,

 

I agree - it is a good toolkit.  I also agree that the "risk analysis" part of the tool will not meet the security rule implementation specification.  I think that needs to be clearly communicated, even to small and medium sized covered entities and business associates.

 

The tool does have an "other" category that small entities could use to list other critical assets (e.g., firewalls, facilities, bio-medical equipment, critical business/clinical processes, etc.).  The tool provides a good starting point but would not meet the security rule requirements or the meaningful use risk analysis measure (they're one and the same requirement). 

 

As with any tool, it doesn't matter how good it is, when it comes to conducting a risk analysis or evaluation (compliance assessment) there is no "out of the box" solution because even two entities providing the same type of care or the same type of services will be somewhat unique.  The toolkit is flexible and to me should be looked at as a good starting point and not something that will address all compliance requirements.

 

Thanks...Chris



-------------------------------------------
ChrisApgar
CEO and President
Apgar and Associates, LLC
PortlandOR
-------------------------------------------






Show Original Message
Be the first person to recommend this.