----- Original Message -----

From: Barbara McGowin

To: ShareHIPAA@yahoogroups.com

Sent: Monday, May 17, 2004 7:47 PM

Subject: [ShareHIPAA] NIST SP 800-66 in Excel

I tried to take DRAFT NIST SP 800-66 and boil it down to a simple spreadsheet.  It was suggested that the actual HIPAA language be provided so that those who prefer to work off the HIPAA Security Rule could do so.  That way if they didn't understand the standard or the implementation specification they could cross reference the NIST guidance recommended for that specific sub-section.

 

Bricker and Eckler represents the Ohio Hospital Assn. The particular link below is for their tab "Regulations by Topic". There, each regulation section you click on (e.g 512 b looking for information about Death Notice) is followed immediately by the preamble discussions of that section. This saves you from having to flip back and forth from reg to preamble. And you can do a text search or find.

http://www.bricker.com/hipaa/hipaaindex.asp

I have added the url for the regulation by test from the Bricker and Eckler/Ohio Hospital Assn. website for each main section (administrative, physical, and technical) in the spreadsheet.  I have also provided the corresponding recommended NIST guidance of each sub-section as provided by DRAFT NIST SP 800-66.  I could not figure out how to set up the spreadsheet differently and I know the attachment is very awkward to print and to use the spreadsheet in paper format.  Hopefully, those who use it will be able to hyperlink to the urls provided and skip the printing of it. 

 

I don't believe having references readily available will remove the need for most organizations to seek assistance from third parties.  You need four primary skill sets/experience to be successful with HIPAA security compliance:

 

1.  Understanding of the HIPAA security standards and implementation specifications

2.  Understanding of the business processes and the day-to-day actions of the workforce

3.  Understanding of the technical aspects, capabilities, and risks of your systems containing ePHI

4.  How to implement and integrate reasonable safeguards in to your business processes and the day-to-day actions of your workforce (enterprise-wide project management).

 

However, with limited time and resources, having good information readily accessible may allow a covered entity to direct what limited resources they can devote to security on those areas where there is the greatest deficiency.

 

You will notice that DRAFT NIST SP 800-53 (Recommended Security Controls) is listed as NIST guidance for all HIPAA security standards and implementation specifications, except one.  Once you have identified your security vulnerabilities, or gaps, and have provided a security categorization for your systems, NIST SP 800-53 is a great resource to help write policies and procedures, determine specifications of needed technical capabilities of your systems, and develop RFIs and RFPs.  Getting proficient with using NIST SP 800-53, in my opinion, is one skill set someone on your HIPAA compliance team must have.

 

So after you have conducted your riskline base assessment and are ready to mitigate the identified gaps, look at the NIST recommended security controls to help write those policies and procedures, and determine what technical security capabilities you would like in upgrades or system replacements.

 

There is an audio/video presentation that spends about 30 minutes explaining the NIST security controls and how to use the DAFT NIST Special Publication 800-53 in your mitigation planning. You can access the presentation by clicking on the link below 24/7, and it is provided freely to all by Blass Consulting, LLC. 

http://www102.placeware.com/cc/complyassistant/view?id=NZTQJ4
Requires Name, No password, then email address and Company Name. (1 hour 2 min). 

 

For high-speed and broadband connections choose the 2nd file option. It is called "Microsoft Office Live Meeting Replay: Windows MediaTM - formatted streamed audio & video".  When the windows media window opens you can right click on the window, then click on zoom, and then click on full screen.

For 56K modems, your bandwidth will not support video.  You can choose the 1st file option.  It is called "Basic recording with Windows Media TM formatted streamed audio".   You can listen to the recording and refer to the attached document for the urls mentioned in the recording.  This may not be very helpful.  If you can get to a PC with high-speed internet access, I would recommend viewing it this way.

 

If you would like to see other good HIPAA presentations, please visit www.complyassistant.com and select "Presentations" from the top horizontal menu bar.  There you can find audio/video recordings (new ones are constantly being added) along with their corresponding PowerPoints.  Most of the presentations on the ComplyAssistant website also have corresponding white papers.  You can access these white papers from the left column on most of the site's pages.

 

Thank you,

Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
mcgowins@...
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.