NIST Prepares HIPAA Security Toolkit
Targets December Release for Compliance HelperExeter Government Services, a Gaithersburg, Md.-based consulting firm, is developing the toolkit under a contract with NIST. It's a downloadable interactive application that poses a series of questions and offers activities regarding 42 implementation specifications for the HIPAA security rule, says J.P. Chalpin, director of engineering at Exeter. A prototype already includes some 1,000 questions organized in what amount to decision trees that point the user to appropriate issues to resolve.
The Department of Health and Human Services' Office for Civil Rights is still working on a final version of HITECH Act-mandated modifications to the HIPAA security rule, as well as HIPAA privacy and enforcement provisions. Exeter will collaborate with NIST to update the toolkit as necessary in light of the final modifications, says Kevin Stine, NIST information security specialist.
The partners described the project Wednesday at a HIPAA security conference in Washington co-sponsored by OCR and NIST. Also at the show, an OCR official said the final rule containing the HIPAA modifications would be released as part of an omnibus package of regulations sometime this year (see: HITECH Mandated Regs Still In Works).
The toolkit "will help organizations better understand the requirements of the HIPAA security rule," Chalpin says, but it will not enable users to produce definitive proof of compliance. It will, however, prove helpful in supporting risk assessments, he adds. Plus, he says the application will help organizations produce information "that you'll need to have available if the government comes knocking" to check HIPAA compliance.
Content in the toolkit will be available for re-use by others in their own applications, Chalpin says. The content covers basic security practices, such as access control, backups and physical security; factors involved in handling security failures, such as legal issues to address after a breach incident; risk management issues; and personnel issues.