Directions for HIPAA security rule compliance are contained in the the National Institute of Standards and Technology (NIST) “Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (SP 800-66 REV 1).”
To bring a covered entity and its business associates into compliance with the HIPAA security rule is a four step process.
- Update the business associate contract. As noted in the ARRA, security rule compliance “shall be incorporated into the business associate agreement between the business associate and the covered entity.” NIST 800-66, p48 notes that it is appropriate for covered entities to request network risk assessments from their business associates.
- Have the business associate acquire a copy of the HIPAA Compliance Reporter from ACR2.
- Have the business associate scan their workstations and create the Information Security Risk Assessment and the HIPAA Compliance Report. Have the business associate convey a copy of the reports to the covered entity. This information transfer may be done manually or electronically. Risk Assessment summaries use an easily understood red/yellow/green report format. The HIPAA Compliance Report is a clause by clause review of the Security Rule with the current status of the business associate network.
- Once the business associate networks have been secured, a similar process is done for the covered entity. Each department, if more than one, may be treated as a separate risk source.
TRALE can provide a copy of it’s HIPAA compliance report by request through our contact form.