Office of Civil Rights on HIPAA/HITECH Enforcement
Leon Rodriguez from the Office of Civil Rights was recently interviewed about OCRs findings from their pilot audits and investigations. The direction is clear — covered entities need to have practical and comprehensive data security programs in place that start with a solid risk assessment and overall risk management plan. With a long “inventory” of OCR cases yet to be investigated, it seems many covered entities may not have data security programs that are deemed adequate.
A few good links are below:
>> Interview with Mr. Leon Rodriguez — his final comments are interesting, Business Associates “Get Ready”!
>> NIST 800-66 Resource Guide for HIPAA Compliance — this document is consistent with Mr. Rodriguez comments
Do you have an inventory of all your hardware and software that stores or transmits EPHI? Without this, how can you complete your risk assessment?