ABSTRACT
Organizations have typically approached Health Insurance Portability and Accountability Act (HIPAA) security readiness by starting with the HIPAA security requirements and applying those requirements to their information technology (IT) departments. By relying solely on this approach, organizations have failed to recognize that security is cross-organizational, including business units and individual users alike. Organizations can functionally decompose themselves in a number of ways, including IT environment, strategic initiatives, key business processes, or locations. The HIPAA security requirements were designed to be used as guide-lines, which means that each organization needs to interpret how it will implement them. The first step to define the scope of the security requirements is to understand the generally accepted practices and principles and where they apply for each of the requirements.
