HIPAA and information security risk: Implementing an enterprise-wide risk management strategy

The Health Insurance Portability and Accountability Act (IAA) of 1996 effectively establishes a standard of due care for healthcare information security. One of the challenges of implementing policies, procedures, and practices consistent with HIPAA requirements in the Department of Defense Military Health System (MHS) is the need for a method that can tailor the requirements to a variety of organizational contexts. This paper will describe a self-directed information security risk evaluation that will enable military healthcare providers to assess their risks and to develop mitigation strategies consistent with HIPAA guidelines. The self-directed risk assessment can be tailored for the ranges of operating environments found in the MHS. It will focus on both organizational and technological improvements using the HIPAA regulations as a benchmark for information security readiness. The evaluation will utilize a interdisciplinary team in an organization to oversee the process and apply recommendations generated by the team. In addition, staff from multiple organizational levels in the organization will contribute their unique knowledge of the enterprise's operations. This information combined with technology-based vulnerabilities yields the organization's risks. This paper will also describe the results of early field tests of the evaluation and provide a summary of lessons learned.