The first task in identifying what actions to take in accordance with HIPAA Title II, Administrative Simplification, Security Rule is a Risk Assessment covered under § 164.308(a)(1)(ii)(A).
The risk assessment must cover the three basic areas of Administrative, Physical and Technical and identify compliance with requirements, actions needed, person responsible and ideally time frame. After completion of the risk assessment Covered Entities must work on their Risk Management actions which is another key requirement. Remember that most of these regulations and the requirements of the same may be covered under other regulations and programs. For example, a CE that has attested under Meaningful Use and during an audit is found not to be in “good faith compliance” with HIPAA could face penalties, including giving back the meaningful use incentive money.