Wednesday, May 4, 2016

Do You Understand The HIPAA Security Risk Management Process?

Risk Analysis Requirements Under The Security Rule
The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Analysis/Assessment for your organization, at minimum, once per year. It is critical that practices perform the Security Risk Analysis for several reasons. Not only is it important to comply with HIPAA, Health and Human Services (HHS) and Office of Civil Rights' (OCR) rules and regulations, but also for what you should consider to be a more motivational reason, to protect your practice (and bank account) from what could become debilitating fines and penalties.

The Security Management Process standard in the Security Rule requires each organization to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).), that apply to their particular practice. Risk Analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. This article will cover the Risk Analysis implementation specification of that standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required). 

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. (Each organization must evaluate for itself the most appropriate answers to the questions contained in your own Risk Analysis.) From the information gained while conduction your Risk Analysis you should prepare a Security Risk Action Plan documenting your findings, your conclusions and plans to address risk issues.

This Action Plan should identify the current state of your practice from 3 areas: Environmental, Facility and Hardware/Software controls, [aka human, natural, and environmental threats].  It should also correlate issues from high to low risk and prescribe plans of action to address these issues in priority as deemed necessary.  Document your plans based on those risk analysis findings and your practice's available resources to best approach the reduction of your higher risk level issues and document your best practice policies and procedures going forward to mitigate damage, disruption or loss of Protected Health Information (PHI). The Security Rule requires the Risk Analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The Risk Analysis documentation is a direct input to your Risk Action Plan and overall Risk Management Process.
The following questions are examples that your organization could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

1. Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
2. What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit your e-PHI?
3. What are the human, natural, and environmental threats to information systems that contain e-PHI?

In addition to an express requirement to conduct a Risk Analysis, the Rule indicates that a Risk Analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. For example, the Rule contains several implementation specifications that are labeled “addressable” rather than “required.” (68 FR 8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate the organization must document why it is not reasonable and appropriate and adopt an equivalent measure if it is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306(d)(3).)   

The OCR in recent months has acknowledged that providers are not making compliance implementation a priority to their practices. Thus, the increased risk of unauthorized access, use, and disclosure of protected (yet quite vulnerable) PHI is still a factor. Not to mention the risk of practices not appropriately implementing other critical areas of compliance, which also pose significant vulnerability to practices as well as the heightened risk of significant fines and penalties. While this information only briefly describes the risk to your practice, providers, workforce, and patients, the message to take away here is that the Office of Civil Rights means business - so much, in fact, that it was decided that the best and only way to make sure that practices understand the significance of compliance is for OCR (along with governing entities such as HIPAA, and others) to increase efforts of enforcement.

There is no such thing as "under the radar" or "off the grid" for practicing providers today. One component of enforcement is in HIPAA Security. It's a priority for HIPAA to ensure that potentially patient identifying and vulnerable information is secure. And rightfully so, when you consider the risk of potential identity theft, medical identity theft, and other dangers posed to patients due to the amount and types of information that health care providers have on each patient. Not to mention, the difficulty in finding the source of and stopping the effects of identity theft or medical identity theft, should that occur (which it does, all too often).
Organizations should use the information gleaned from their Risk Analysis as they, for example:
  1. Design appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).) 
  2. Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).) 
  3. Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).) 
  4. Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
  5. Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)
Though there are other components of compliance, the Security Risk Analysis is one very essential component to compliance, and for many reasons. The Security Risk Assessment shows your practice's good faith effort in establishing and maintaining appropriate policies and procedures that meet guidelines and minimize risk to your practice, patients and their protected information. The Security Risk Analysis is required as a way for practices to show ongoing monitoring of critical business systems.

Enforcement of this area is at an all time high and will continue to gain steam. The best thing practices can do is to be proactive and show initiative. Also, note that the Security Risk Analysis/Assessment is also required for Meaningful Use attestation. Practices that are found to have received incentive payments through Meaningful Use but have not appropriately conducted a Security Risk Analysis/Assessment per attestation requirements are having to refund all of the incentive payments received as well as run the very high risk of more in depth investigations and other potential penalties.

Risk Analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The outcome of the risk analysis process is a critical factor in assessing whether a required implementation specification or an equivalent measure is reasonable and appropriate. 

To subscribe to this blog, enter your email address:

Delivered by FeedBurner