0 By Jeffrey Jones Uncategorized November 10, 2011 I will list the steps to perform a HIPAA Risk Analysis, but since I am short on time. I am going to do this in Phases. I will try to do this in the up coming days. So everybody stand-by. 0 Jeffrey Jones / About Author More posts by Jeffrey Jones Comments (4) Jeff Jones March 15, 2012 at 3:05 pm Phase One- Come up with a Standardized Plan Okay, so I guess you are a DIY (Do it Yourselfer). You could wing it, but I would suggest that you sit down and pretend that you are not affiliated with your organiation. Develop a list of questions by searching the internet (lazy way) or read a book on Security Controls (really hard way). I would probably do both. I will give a little bit away. There are three basic types of Security Controls: 1. Technical Controls- This is what most IT people focus on. A Technical Control is something that (wait, I have to say it) Technical- Ergo Firewalls or Active Directory, LDAP Directory for you Linux Heads, Passwords, and blah blah blah. 2. Physical Controls- Think of this as Doors, Locks, Security Cameras, Man Traps, barbed wire and security guards. 3. Adminstrative Controls- This is the hard part. Admin Controls are written policies and procedures. Most organization have the first to cover pretty well. The writing part not so much. So………….. Next Jeff Jones March 15, 2012 at 3:08 pm Creating an Interveiw Process. The list of questions should cover the three controls above. They should be something like, “Do you have locks on your doors?” “Do you have a firewall?” “Do you have a password policy?” Come up with as many as you can. Then put them on an exel spreadsheet and go interveiw a sampling of Executives, Managers and Workers. Ask them these questions. Jeff Jones March 15, 2012 at 3:14 pm Here is the outcome of this scenerio: If they exist you are good. If they don’t exist you need to get them. **** Professional Tip**************** Everything must be documented in policy so when the HIPAA police visit you after your breach, you can have some kind of defense… But that usually only works for people that document and follow the HIPAA Rules and they usually don’t have breaches. (Weird) Jeff Jones April 2, 2012 at 11:15 am So, now we have done our interviewing process… Next Step is policy review. I recommend that you have several policies. These Policies should encompass and document everything you do. In the Marine Corps, we called it Standard Operating Procedures or SOP. In Healthcare IT it is called a Policy Framework. I will talk about next how build a policy framework. Comments are closed.