Using your risk analysis results, develop a plan to mitigate the identified risks.
As The Department of Health & Human Services points out, basic security measures are often highly effective and affordable.
Action plans should cover five broad categories:
-
Administrative safeguards: Create processing for achieving compliance
-
Physical safeguards: Protect facilities with health information is stored
-
Technical safeguards: Safeguard databases, computers and other devices containing health information
-
Policies and procedures
-
Organizational practices
Tools and Resources for Step 5
Basic Training Tools
The following reports detail things to consider when developing an action plan.
This 11-page overview for small practices focuses on precautions associated with electronic health records.
Reassessing Your Security Practices in a Health IT Environment
The 4-page Safeguards report emphasizes that the standard is flexible and and includes a Q&A to help guide organizations toward appropriate safeguards. Questions addressed include:
-
E-mail of protected health information (PHI) with other providers for treatment purposes
-
Email with patients
HHS published a Security Standards Series in 2007, and it includes handy checklists and sample questions to consider relating to administrative, facility and technical safe practices.
Security Series: Administrative Safeguards
Security Series: Physical Safeguards
Security Series: Technical Safeguards
Advanced Tools
A Toolkit developed by the National Institute of Standards and Technology (NIST) offers public and private organizations, large and small, guidance on HIPAA implementation requirements. The resource is designed for both large and small organizations, and can help with plans for implementation requirements.
This user guide notes that the Toolkit can help organizations understand how to implement security requirements.
The HHS Toolkit addresses 45 implementation specifications identified in the HIPAA Security Rule, covering:
-
basic security practices
-
security failures
-
risk management
-
personnel issues
Questions in the Toolkit help organizations:
-
define and manage access, backups, recoveries, and physical security
-
deal with legal issues after an incident, such as breach notifications
-
manage risk through periodic reviews and evaluations, and regular monitoring practices
-
address personnel access considerations
This install guide explains how to install the toolkit for each supported operating system.
NIST Toolkit Installation Guide
Special Topics
HHS offers nine SAFER Guides for how-to guidance on specific topics, and offers guidance on safe practices, especially relating to electronic records. The guides, in the form fillable PDFs, include checklists and places to add notes. They can be saved and transmitted among team members.