Health Insurance Portability and Accountability Act (HIPAA) compliance is based upon identifying potential risks to Protected Health Information (PHI) and Personally Identifiable Information (PII). Completing an inventory of the PHI and PII that you hold and reviewing the current physical, administrative and technical measures that are in place to protect that data is critical to ensuring compliance with HIPAA mandates. Also key is determining what additional measures need to be put into place to mitigate the risks that have been identified.
An inventory allows for a complete account of every element of PHI that an organization holds. The inventory should include all software and applications that ‘touch’ PHI and PII, and all devices that PHI and PII are stored on or are processed on. By completing the PHI and PII inventory, you will have a single catalog that lists all forms of both data at rest and data in motion.
Determine who has access to each application and data store, and what level of access each entity has. An entity can be an application that accesses a data store, or an individual that can either utilize an application or directly access a data store. Evaluate what level of access each entity has, catalogue the level of access and determine if the level of access is appropriate based upon the job description of the person or process. Make appropriate adjustments to access control as appropriate.
Please log in or register below to read the full article.