search menu icon-carat-right cmu-wordmark

HIPAA and Information Security Risk: Implementing an Enterprise-Wide Risk Management Strategy

February 2001 Article
Christopher J. Alberts, Audrey J. Dorofee

In this article, the authors describe an information security risk evaluation that enables risks assessment and mitigation consistent with HIPAA guidelines.


The Health Insurance Portability and Accountability Act (HIPAA) of 1996 effectively establishes a standard of due care for healthcare information security. One of the challenges of implementing policies, procedures, and practices consistent with HIPAA requirements in the Department of Defense Military Health System is the need for a method that can tailor the requirements to a variety of organizational contexts. This paper will describe a self- directed information security risk evaluation that will enable military healthcare providers to assess their risks and to develop mitigation strategies consistent with HIPAA guidelines.