Why Should You Care About HIPAA?
Why should county executives, commissioners, and managers be concerned about the HIPAA Security Rule?
The answer is simple. You, as a commissioner or executive, will be held responsible if your organization suffers a catastrophic security event or breach. Most county governments don’t have even minimally acceptable information security and cybersecurity programs in place. Ask your CIO or IT director about it and he or she may tell you they have it covered, but this is rarely true.
For many county commissioners and executives, Information Security (Infosec) and HIPAA compliance are not even on the radar. If you look at most county operations, though, you’ll find that many fit the definition of a covered entity (CE) and have protected health information (PHI). County governments tend to offer services such as mental health, public health, social services, substance abuse treatment, probation, correctional facilities, and others that maintain statutorily protected information. In addition to PHI, other operations such as a county recorder may maintain publicly available personally identifiable information (PII).
Policies, processes, and procedures for managing all this information should be addressed at the highest levels of the organization rather than departmentally. Furthermore, all departments should operate at the highest level of security required by statute, best practices, and the policies you develop. Maintaining separate information security policies and practices for each department is impractical and is likely to create security gaps.
Making all this happen isn’t a job for your IT Director. It requires a multidisciplinary team that includes your attorneys, HR, commissioners, executives and other stakeholders.
You, as a commissioner or executive, will be held responsible if your organization suffers a catastrophic security event or breach.
If a pervasive awareness of privacy and security is not currently part of your organizational culture, a huge cultural change will be necessary, and addressing this change is part of the mission of your multidisciplinary team.
In this 5-minute video, I cover the basics of using HIPAA as a framework for county information security programs.
As you watch the video, keep the following questions in mind:
- Do you have a comprehensive security policy?
- Does your security policy address, at a minimum, all 38 areas of the HIPAA Security Rule?
- Did you create your policies, processes and procedures with a multidisciplinary team that includes executives, board members (county commissioners or city council members), attorneys, HR, and other important stakeholders?
- Who is ultimately responsible and accountable for information security in your organization?
- How do you know if your information security program is working and up to generally accepted standards?
Subscribe to our Awesome Newsletter.