Risk Analysis-Risk Management is the foundation for HIPAA compliance. It enables you to find and manage risks to avoid violations that could cause breaches, government investigations and expensive penalties. There are several parts to a full Risk Analysis and the Risk Management Plan that flows from it. This blog continues our explanation of the basic parts of an effective Risk Analysis. They’re easy to do, step-by-step, when you know the steps.
Over the past two months we discussed IT Asset Inventory, Business Associate Due Diligence, and How to Create a HIPAA Contingency Plan. Each are parts of a full HIPAA Risk Analysis. Today we look at the Security Rule Checklist which covers the safeguards for electronic protected health information required by the HIPAA Security Rule.
A full Risk Analysis evaluates risks to the privacy and security of protected health information that an organization creates, receives, maintains or transmits in any form or format. The Security Rule Checklist is critical for identifying risks to protected health information that is maintained or transmitted electronically.
The Security Rule Checklist is what some may call a security risk assessment but it is only part of a full HIPAA Risk Analysis.
The Security Rule – Electronic Protected Health Information
The HIPAA Security Rule establishes standards for the protection of Electronic Protected Health Information (EPHI). Both covered entities and business associates must comply with the Security Rule. EPHI is Protected Health Information (PHI) created or received by a covered entity and transmitted by maintained in electronic media. By definition, all EPHI is PHI.
The Privacy Rule Also Applies – Fundamental Standards for EPHI
The HIPAA Privacy Rule establishes:
A. Standards for uses and disclosures of all PHI including EPHI that covered entities and business associates are permitted and required to make; and
B. Standards for the rights of individuals regarding their own PHI including EPHI. The Privacy Rule also requires that covered entities have appropriate Administrative, Technical and Physical Safeguards in place to protect the privacy of all PHI.
Security Rule Safeguards
The Security Rule requires covered entities and business associates to protect against uses and disclosures of EPHI that are not permitted or required by the Privacy Rule. They must:
A. Implement security measures consisting of appropriate Administrative, Physical and Technical Safeguards to ensure the confidentiality, integrity, and security of EPHI they create, receive, maintain or transmit;
B. Protect against reasonably anticipated threats to the security or integrity of EPHI; and
C. Ensure compliance with the Security Rule by their workforce.
The Security Rule Provides a Blueprint to Prevent Cyber Crime
The importance of implementing the Security Rule safeguards cannot be overstated. Since the Security Rule became effective in 2005 the amount of EPHI transmitted by and maintained in electronic media with assistance from Federal financial incentives has grown dramatically. However, breaches of unsecured EPHI that could have been prevented by Security Rule compliance are routinely reported. Criminal attacks targeting electronic information in healthcare include medical identity theft and extortion including Ransomware attacks. Both are urgent, persistent and growing threats.
Security Rule Overview
The Security Rule is made up of standards and implementation specifications.
A standard is a rule, condition, or requirement concerning the Privacy of EPHI and implementation specifications are specific requirements or instructions for implementing a standard. Together they establish:
A. Security Measures – the Administrative, Physical and Technical Safeguards to protect the Information System (interconnected EPHI resources including hardware, software, information, data, applications, communications and people) of a covered entity or business associate; and
B. Security Rule organizational requirements for covered entities including business associate agreements, policies, procedures and documentation.
- Administrative Safeguards are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect EPHI and manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of EPHI.
- Physical Safeguards are physical measures, Policies, and Procedures to protect a Covered Entity’s or Business Associate’s Electronic Information Systems and related buildings and equipment, from natural and environmental threats, and unauthorized intrusion.
- Technical Safeguards are the technology and policies, and procedures for use of the technology that protect EPHI and control access to EPHI.
Security Rule Implementation Specifications – Required and Addressable
Security Rule standards may have implementation specifications labeled as Required, Addressable or both.
The methods for complying with Required implementation specifications are different from methods for complying with ones that are Addressable. However, in all cases, covered entities and business associates are required to comply with every Security Rule standard, whether Required, Addressable, or both.
“Addressable” does not mean “optional”. To comply with an Addressable implementation specification, organizations must evaluate it to determine whether it is reasonable and appropriate within their specific environment based on the specification’s likely contribution to protecting EPHI. The evaluation should consider a variety of factors such as the organization’s Risk Analysis – Risk Management Program, size, complexity, technical infrastructure, hardware and software security capabilities, security measures already in place and the cost of implementation.
The Security Rule Checklist in The HIPAA E-Tool®
In the Risk Analysis we gather information and identify risks. The HIPAA E-Tool® organizes the Risk Analysis in logical order with step-by-step guidance that walks through the steps. The Security Rule Checklist, derived from the exact standards and implementation specifications of the Security Rule, is an important part of this.
There are fifty-seven questions – simple to answer – requiring a “yes”, “no” or “in progress” answer. They range from “Have you identified a person to serve as the Security Official?” to “Do you implement encryption procedures to encrypt EPHI whenever deemed appropriate?” to “Do you implement Automatic Logoff Procedures that terminate a session after a predetermined time of inactivity?”.
There is no wrong answer, because a Risk Analysis is designed to bring issues and risks to the surface. Every organization has issues and risks to manage. If a question in the checklist is answered “no” or “in progress”, the interactive E-Tool program will bring that answer forward into a later step where a staff member can be assigned to address the risk.
The last step is documentation, because every Risk Analysis should be documented. All the work is saved, and can be archived once complete. The following year’s Risk Analysis is much easier with all the data gathered and saved in one place. And if an organization is audited or investigated, proof of the Risk Analysis work is essential.
If you need help getting organized, let us know because The HIPAA E-Tool® can help.