Plus, you have to know what information is where, so if something goes wrong, you know who to notify and why.
What is the information security management process? Because that's really what it takes to be able to manage all your information and keep it safe. And now that you protect the confidentiality and integrity and availability of information, all three of those and of course, there's the obvious confidentiality and availability, you have to have it available to the people that do need it. But confidentiality has to apply where you have feel who don't need it in order to maintain HIPAA compliance.
So you have to do these things, protect the information security. And a minor process is, was something like if you've been think like a management process of how you run a company or a factory that's making widgets. You have to understand what you're doing. What do you have? What are you making? What is your physical plant look like? What are your raw materials?
And how well are those performing? Are you turning out so many boxes of cereal or, they're coming out properly? Do you have any problems? Is there production problems? You're having problems getting ingredients or you're having problems shipping things out or some production problems during the manufacturing.
And then also, do you get together on a regular basis and review things and look at issues and things like that. That's kind of things a business does. You get together for a monthly meeting or a quarterly meeting and say, “Hey what's going on?” And then, you make changes based on bank for buck. And that's the sort of a business process and management process.
But you try to deal with the idea of information security, what are you doing? You want to understand what you have, which is that you have information inventory and the information flow analysis so you know what information you have and where it's going, because what you're talking about, your product here is information security, okay?
So where is that information? Where is it going? And do you have your walls of your factory? Do you have access and configuration controls? So that people can only get the information that should get the information.
Ensure HIPAA Compliance: And you know what's going on in your networks and systems? So, you know what's happening on your factory floor? If they have any problems that something is going wrong. These are incidents. An incident is a good thing. An incident is something that you can learn from because something went wrong and as you can change things so it doesn't go wrong again in the future. So incidents are not to be avoided. Incidents should be honored.
And you need to get the other for your monthly meeting or whatever. That's the same thing as auditing, a review and have a regular basis, and whatever operations are in an environment changes. So whenever something changes significantly, or time goes by, you need to get together and look and see, are we doing things right.
And in this case, instead of making your decisions based on bank for the buck, it's on reduction of risk. And that's where we're talking about risk analysis because risk analysis is essential part of the HIPAA security rule compliance process.
And if you're in compliance with the HIPAA security rule, you need to be able to move right along with your HIPAA compliance activities for security right now, because it's part what you need to do to prevent the breaches in the first place. And also to know when you do have a breach so you have time to respond to it.
There's a lot of flexibility because every organization is different. The rule has to cover everything from our very small physician's office or , a small organization that has maybe one or two individuals to a large multi-state hospital system with tens of thousands of employees across multiple jurisdictions and multiple facilities and things like that.
There's a lot of flexibility to have to be able to deal with this. So, you'll have to figure it out what's right for your organization and justify what you do. You have to understand how you work. You have to do some risk assessment and you have to document a lot.
As far as what is the HIPAA security rule, there's some general HIPAA rules, insure confidentiality and integrity and availability of information, protect the information, ensures that the workforce is complying with things, use some flexibility.
There are 18 standards and then 36 accommodation specifications. And you have to meet all the standards and do the best you can with the accommodation specifications and meet them however you can where there's a required or addressable but you have to do what you can with them. And document everything in regular review things in a regular basis.
It's kind of simple kind of overall approach to information security. And there's a lot, there's a several sections having the safeguards you have to implement and they're all sort of a very standard and information specifications.
The flexibility section they do say that you have to do whatever is right for your organization. And it's really it helps you think through the question of what information do I have, okay. Because that's the ideas. you need to understand what information you have. Where is it and where is it going? Because if you don't know where your information is, and where it's going, if a device is breach you don't know what information was on it. You don't know what you've lost. You can't just notify all your customers, all your clients, all your patients whenever there's a breach. You have to know what information is where, so if something goes wrong, you know who to notify and why.
For similar topics, visit our HIPAA Compliance page.