|
security
evaluation (HIPAA)
As a part of a
covered entity's administrative
safeguards, there must be a "periodic" security
evaluation:
A technical and
non-technical evaluation, based initially upon the standards
implemented under this [Security
Rule] and subsequently, in response to environmental
or operational changes affecting the security of electronic
protected health
information [PHI], that establishes the extent to which
a covered entity's security policies and procedures meet
the requirements.....
Covered entities
must assess, among other things, how changes in technology
or shifts in risks affect their compliance posture. The requirement
for both "technical and non-technical" assessment
indicates that the evaluation cannot be confined to just information
systems, narrowly defined. It must include a review of all
safeguards and systems.
Security evaluations
can be performed by members of the entity's own workforce
or by an external organization such as an accreditation agency
(which would be acting as a business
associate). That assignment is, DHHS notes, "a business
decision to be left to each covered entity." (Final Rule,
p.109)
DHHS has not offered
guidance as to what a reasonable and appropriate definition
of "periodic" would be. Such evaluations would usually
be congruent with assessments that a covered entity must perform
under the security
management process standard, particularly the risk analysis
and risk management components (which must also be performed
"periodically").
See also:
|
