Identifying vulnerabilities is a key first step, but what follows is the most important

Categories: Articles

LifeSciences_HIPAAThe old adage, “success is 2% inspiration and 98% perspiration” also applies to HIPAA Privacy and Security. It is one thing to know what you need to do, but it is another to actually follow through and do it.

With the requirements of HIPAA and Meaningful Use attestation, practice administrators are tasked with completing a Security Risk Assessment – whether done internally or through a third party. The practice usually thinks that they have done one, or plan on doing one internally or with an outsourced IT firm. However, in reality, IT folks have gone through and checked on a few hardware or network items, and either updated those items or gave the administrator a proposal to update everything. ALERT: THIS IS NOT THE SECURITY RISK ASESSMENT that HIPAA and Meaningful Use have in mind. Furthermore, and equally important, is that this process usually does not generate a Corrective Action Plan (a.k.a. Remediation Plan).

Commonly, a Corrective Action Plan is not fully understood by most healthcare organizations. A Corrective Action Plan identifies the vulnerable areas of the practice (as it relates to PHI – Protected Health Information) and provides a way to track remediation efforts.

The Corrective Action Plan is a “living document” that is reflective of the findings from the most recent Security Risk Assessment. The data of all the risk are then mapped back to the infrastructure (both IT and general) to help prioritize the fixes.  It is considered “living” because it contains tasks based on risk that need to be addressed by the practice/covered entity.  While the tasks are prioritized by risk level and impact to the organization, they generally can never be done quickly.  Therefore, the document “lives” by having the responsible person(s) updating the progress of the tasks to be completed. This process is to be iterated throughout the year until the next Security Risk Assessment is performed. At that time, a new and revised Corrective Action Plan is created.

The keys to successfully protecting PHI, is to understand how to complete a Security Risk Assessment that properly identifies the risks, and how to generate a Corrective Action Plan that prioritizes those risks. By tackling these two items, a strategy can be formed for how the majority of a covered entity’s vulnerabilities can be mitigated. Of equal importance, is making sure that someone within in the organization is following through and completing the outstanding tasks, or that you are working with someone to help you remediate them. Finally, comes updating the Corrective Action Plan in preparation for the next risk assessment.


Bill Steuer
GSG Compliance, LLC

Leave a Reply

Your email address will not be published. Required fields are marked *

© Copyright - Healthcare Services