Are you a covered entity?\nBasing a county\/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.\nHow do you know if you have or are a CE? If some department or division within your organization is a healthcare provider, a health plan or a healthcare clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), healthcare clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.\nAre you in compliance?\nIf anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.\nIn my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?\nI suspect what often happens is that executives look at something like information security policy requirements and say:\nThis has tech words in it. IT handles tech stuff. Therefore, I\u2019ll turn it over to IT to handle.\nWhat a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It\u2019s not a tech issue; it\u2019s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn\u2019t be handed off to your IT director or CIO to address unilaterally.\nTrust but verify\nThere are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.\nExtend HIPAA to your enterprise\nIf you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that that level while also getting compliant with federal law.\nWhy? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted, good practices.\nDevelop your policy with the HIPAA Security Rule\nThere are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we\u2019ll definitely discuss privacy another day.\nThe original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).\nThe security standards in HIPAA are broken down into three sections, each of which has multiple layers and sub components:\n\nAdministrative Safeguards (9 components)\nPhysical Safeguards (4 components)\nTechnical Safeguards (5 components)\n\nThese three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.\nUsing the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.\nThese are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.\nNext Steps\n1. Find out where your organization stands in terms of information security policies and procedures.\n2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?\n3. Meet with your IG committee to discuss your findings.\n4. If you don\u2019t have an IG committee \u2014 start one!\n5. Download and review the HIPAA Security Rule. Use it to build your organization\u2019s information security policies.\n6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintain continuous improvement.\n7. Begin building a culture of security in your organization.\nWe\u2019ll continue the discussion next week, so check back then.\nReferences\n[i] Covered Entities and Business Associates, U.S. Department of Health and Human Services.