Risk Analysis Requirements Under The Security Rule
The HIPAA Security Rule requires that covered entities (your practice) conduct a Security Risk Analysis/Assessment for your organization, at minimum, once per year. It is critical that practices perform the Security Risk Analysis for several reasons. Not only is it important to comply with HIPAA, Health and Human Services (HHS) and Office of Civil Rights' (OCR) rules and regulations, but also for what you should consider to be a more motivational reason, to protect your practice (and bank account) from what could become debilitating fines and penalties.
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. (Each organization must evaluate for itself the most appropriate answers to the questions contained in your own Risk Analysis.) From the information gained while conduction your Risk Analysis you should prepare a Security Risk Action Plan documenting your findings, your conclusions and plans to address risk issues.
This Action Plan should identify the current state of your practice from 3 areas: Environmental, Facility and Hardware/Software controls, [aka human, natural, and environmental threats]. It should also correlate issues from high to low risk and prescribe plans of action to address these issues in priority as deemed necessary. Document your plans based on those risk analysis findings and your practice's available resources to best approach the reduction of your higher risk level issues and document your best practice policies and procedures going forward to mitigate damage, disruption or loss of Protected Health Information (PHI). The Security Rule requires the Risk Analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The Risk Analysis documentation is a direct input to your Risk Action Plan and overall Risk Management Process.
The following questions are examples that your
organization could consider as part of a risk analysis. These sample questions
are not prescriptive and merely identify issues an organization may wish to
consider in implementing the Security Rule:
1. Have you identified the
e-PHI within your organization? This includes e-PHI that you create, receive,
maintain or transmit.
2. What are the external
sources of e-PHI? For example, do vendors or consultants create, receive,
maintain or transmit your e-PHI?
3. What are the human, natural,
and environmental threats to information systems that contain e-PHI?
In addition to an express requirement to conduct a Risk
Analysis, the Rule indicates that a Risk Analysis is a necessary tool in reaching
substantial compliance with many other standards and implementation
specifications. For example, the Rule contains several implementation
specifications that are labeled “addressable” rather than “required.” (68 FR
8334, 8336 (Feb. 20, 2003).) An addressable implementation specification is not
optional; rather, if an organization determines that the implementation
specification is not reasonable and appropriate the organization must document
why it is not reasonable and appropriate and adopt an equivalent measure if it
is reasonable and appropriate to do so. (See 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R.
§ 164.306(d)(3).)
The OCR in recent months has acknowledged that
providers are not making compliance implementation a priority to their
practices. Thus, the increased risk of unauthorized access, use, and
disclosure of protected (yet quite vulnerable) PHI is still a factor. Not to mention the risk of practices not
appropriately implementing other critical areas of compliance, which
also pose significant vulnerability to practices as well as the
heightened risk of significant fines and penalties. While this information only briefly describes the risk to your practice, providers,
workforce, and patients, the message to take away here is that the
Office of Civil Rights means business - so much, in fact, that it was
decided that the best and only way to make sure that practices
understand the significance of compliance is for OCR (along with
governing entities such as HIPAA, and others) to increase efforts of
enforcement.
There is no such
thing as "under the radar" or "off the grid" for practicing providers
today. One component of enforcement is in HIPAA Security. It's a
priority for HIPAA to ensure that potentially patient identifying and vulnerable information is secure. And rightfully so, when you consider the
risk of potential identity theft, medical identity theft, and other
dangers posed to patients due to the amount and types of information
that health care providers have on each patient. Not to mention, the
difficulty in finding the source of and stopping the effects of identity
theft or medical identity theft, should that occur (which it does, all
too often).
Organizations should use the information gleaned from their Risk Analysis as they, for example:
- Design appropriate personnel screening processes. (45 C.F.R. § 164.308(a)(3)(ii)(B).)
- Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
- Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
- Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
- Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)
Though there are other components of compliance, the Security Risk Analysis is one very essential component to compliance, and for many
reasons. The Security Risk Assessment shows your practice's good faith
effort in establishing and maintaining appropriate policies and
procedures that meet guidelines and minimize risk to your practice, patients and their protected information. The Security Risk Analysis is required as a way
for practices to show ongoing monitoring of critical business systems.
Enforcement of this area is at an all time high and will continue to gain steam. The best thing practices can do is to be proactive and show initiative. Also, note that the Security Risk Analysis/Assessment is also required for Meaningful Use attestation. Practices that are found to have received incentive payments through Meaningful Use but have not appropriately conducted a Security Risk Analysis/Assessment per attestation requirements are having to refund all of the incentive payments received as well as run the very high risk of more in depth investigations and other potential penalties.
Enforcement of this area is at an all time high and will continue to gain steam. The best thing practices can do is to be proactive and show initiative. Also, note that the Security Risk Analysis/Assessment is also required for Meaningful Use attestation. Practices that are found to have received incentive payments through Meaningful Use but have not appropriately conducted a Security Risk Analysis/Assessment per attestation requirements are having to refund all of the incentive payments received as well as run the very high risk of more in depth investigations and other potential penalties.
Risk Analysis is the first step in an organization’s Security Rule compliance efforts. Risk analysis is an ongoing process that should provide the organization with a detailed understanding of the risks to the confidentiality, integrity, and availability of e-PHI. The outcome of the risk analysis process is a critical factor in assessing whether a required implementation specification or an equivalent measure is reasonable and appropriate.
Source(s): http://www.hcsiinc.com/, http://www.hhs.gov/, Brandy Brimhall @ https://www.chirocode.com/
No comments:
Post a Comment