Quick summary of the standard
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law governing the protection of sensitive patient health information from unauthorized disclosure. There are five fundamental rules, the Privacy Rule, the Security Rule, the Enforcement Rule, the Breach Notification Rule, and the Final Omnibus Rule (of 2013). Each rule compliments the others, and the primary focus for information security is the Security Rule.
Over time, HIPAA has been revised and clarified. Important dates in HIPAA’s history:
- August 1996 – HIPAA Signed into Law by President Bill Clinton.
- April 2003 – Effective Date of the HIPAA Privacy Rule.
- April 2005 – Effective Date of the HIPAA Security Rule.
- March 2006 – Effective Date of the HIPAA Breach Enforcement Rule.
- September 2009 – Effective date of HITECH and the Breach Notification Rule.
- March 2013 – Effective Date of the Final Omnibus Rule.
HIPAA can be confusing, so to simplify, here’s what you need to know:
- HIPAA applies to all healthcare entities.
- HIPAA also applies to all organizations doing business (directly and indirectly) with healthcare entities (called “Business Associates”).
- HIPAA requires a risk-driven approach to information security, encompassing administrative, physical, and technical safeguards.
SecurityStudio’s S2Org is fully capable of measuring compliance with HIPAA.
Description of the report contents (what it is and what it isn’t)
The HIPAA Security Rule Gap and Risk Assessment easy to read and understand report comparing your information security program with HIPAA requirements. SecurityStudio has taken the pain and confusion out of interpreting HIPAA requirements by aligning the S2Org with the only “official” audit protocol developed by the U.S. Department of Health & Human Services (DHS) Office for Civil Rights (OCR) and the text of HIPAA itself. Using the S2Score algorithm, the comparisons are objective representations of HIPAA compliance.
Who can use it
The HIPAA Security Rule Gap and Risk Assessment is used by anyone who has a vested interest in the level of HIPAA compliance.
- Organizations include healthcare providers (healthcare systems, hospitals, clinics, etc.) and Business Associates (managed service providers, vendors, consultants, etc.).
- Individuals within these organizations include boards of directors, executive leadership (CEOs, CFOs, CAOs, CIOs, CISOs, etc.), information security management personnel, and others.
- The HIPAA Gap Specialty Report have stood up to rigorous regulatory scrutiny, so they’re also used by DHS/OCR.
Reports are not only used for regulatory comparison and measurement, they’re also used for strategic information security planning.
How to use the HIPAA Gap Specialty Report
Accessing the report couldn’t be simpler. Complete the S2Org information security risk assessment and the HIPAA Security Rule Gap and Risk Assessment report will be generated automatically.
In general, the steps for using the report are:
- Download the report and look at the level of compliance risk. Compliance risk is represented by the S2Score on a scale between 300 and 850. A higher S2Score means less compliance risk.
- Review the areas where S2Scores are lowest. The lower the S2Score in a certain area, the larger the gap.
- Use this information (among other factors) to help prioritize your organization’s approach to addressing risk.
- Once you’ve familiarized yourself with the report, begin extracting certain tasks into the creation of your roadmap/action plan. Alternatively, you can do the same things programmatically within the SecurityStudio S2 Platform.
We developed this report, and all reports, from customer feedback. As you familiarize yourself with the report, tell us more about how we can make your information security life simpler!