In this second entry of our Assessment Series we explore what a HIPAA Risk Assessment is and why it is crucial in ensuring the safe-handling of protected health information (PHI) with the growing dependency on information technology in the Healthcare Industry and the implementation of electronic medical records (EMR).
Back in February of 2009 the HITECH (Health Information Technology for Economic and Clinical Health) Act was passed as an element of the American Recovery and Reinvestment Act to fortify the privacy and safety of PHI by including provisions to the HIPAA Standards. Among the stipulations in HITECH was the HIPAA Security Rule which has requirements organized into three classifications, and within each classification are 18 standards and 36 implementation specifications that are categorized as “Required” or “Addressable”. The Required specifications are crucial and necessities to be implemented; whereas, Addressable specifications are meant for scalable consideration based on individual and entity needs and best practices.
The Three Classifications
1. Administrative Safeguards
These constitute more than half of the HIPAA Security Assessment requirements. As with all three standards, compliance will mandate an evaluation of the security controls in place already, a precise and in-depth analysis, and a succession of documented solutions derived from a multitude of factors unique to each covered body.
These safeguards are broken down as follows:
Standard: Security Management Process
The intent is to create the administrative processes and operations that a covered body will utilize to enact the security program in its environment.
- Risk Analysis (Required)
- Risk Management (Required)
- Sanction Policy (Required)
- Information System Activity Review (Required)
Standard: Assigned Security Responsibility
The goal is to recognize who will hold responsibility for ensuring that the covered body abides by the HIPAA Security Rule. There are no implementation standards for this standard.
Standard: Workforce Security
The objective is to identify each workforce member that necessitates access to ePHI and their need, time of need, and how they are going to control access to the information.
- Authorization and/or Supervision (Addressable)
- Workforce Clearance Procedure (Addressable)
- Termination Procedures (Addressable)
Standard: Information Access Management
Meant to restrict access to solely persons with a need for specified ePHI.
- Isolating Health Care Clearinghouse Functions (Required)
- Access Authorization (Addressable)
- Access Establishment and Modification (Addressable)
Standard: Security Awareness and Training
Training for all new and current members of the entity’s staff is mandated by the Security Rule.
- Security Reminders (Addressable)
- Protection from Malicious Software (Addressable)
- Log-in Monitoring (Addressable)
- Password Monitoring (Addressable)
Standard: Security Incident Procedures
Implemented to call attention to security occurrences within the covered body’s environment.
- Response and Reporting
Standard: Contingency Plan
Necessitates to plan and establish strategies for retrieving access to ePHI if an entity where to experience a crisis or occurrence that disrupts urgent business operations.
- Data Backup Plan (Required)
- Disaster Recovery Plan (Required)
- Emergency Mode Operation Plan (Required)
- Testing and Revision Procedures (Addressable)
- Applications and Data Criticality Analysis (Addressable)
Requires entities to create a process to review and maintain standard security measures to comply with The Security Rule. There are no implementation specifications for this standard.
Standard: Business Associate Contracts and Other Arrangements
States that covered bodies are required to sign a contract or other agreement that meet the definition of a “business associate.” This standard has no implementation specifications.
2. Physical Safeguards
These safeguards are meant to evaluate and implement all physical access to ePHI.
These are broken down as follows within a HIPAA Security Assessment:
Standard: Facility Access Controls
Enacted to limit the access to the electronic information systems where ePHI is housed.
- Contingency Operations (Addressable)
- Facility Security Plan (Addressable)
- Access Control and Validation Procedures (Addressable)
- Maintenance Records (Addressable)
Standard: Workstation Use
Requires that entities clarify the proper uses to be done by electronic computing devices. There are no implementation specifications for this standard.
Standard: Workstation Security
Addresses the operations and procedures for how workstations should be utilized and secured from unauthorized persons. There are no implementation specifications for this standard.
Standard: Device and Media Controls
This covers the correct handling of electronic media including removal, receipt, backup, storage, reuse, disposal, and responsibility.
- Disposal (Required)
- Media Re-Use (Required)
- Accountability (Addressable)
- Data Backup and Storage (Addressable)
3. Technical Safeguards
A covered body is mandated to determine the security protocol and specified technologies that are appropriate for implementing in its organization while complying with these safeguards which are broken down according to the HIPAA Security Assessment as follows:
Standard: Access Control
Required to provide/restrict persons with the access necessary for the information systems, applications, programs, or files associated with ePHI.
- Unique User Identification (Required)
- Emergency Access Procedure (Required)
- Automatic Logoff (Addressable)
- Encryption and Decryption (Addressable)
Standard: Audit Controls
This standard is meant to be useful for the records and examinations of information system activity, particularly in a security violation.This standard has no implementation specifications.
This standard requires that policies and processes are implemented to protect ePHI from being altered or destroyed.
- Mechanism to Authenticate Electronic Protected Health Information(Addressable)
Standard: Person or Entity Authentication
This standard confirms that a person is who they are claiming to be before being granted the access to ePHI. This standard has no implementation specifications.
Standard: Transmission Security
This standard is utilized to guard against those who are not granted permissions to ePHI that is being communicated over electronic means.
- Integrity Controls (Addressable)
- Encryption (Addressable)
In summary, when doing your own HIPAA Security Assessment, keep in mind that this applies to all media types including oral, paper, and electronic while simultaneously considering integrity, confidentiality, and availability. There are many HIPAA Security Assessment tools and services that have been released but no one is more highly regarded in this space than Datica as a HIPAA compliance authority.
Did you miss our first post in the HIPAA Assessment Series? Check it out here!