June 16, 2015

Assessment Series: HIPAA Security Assessment

Travis Good, MD

Co-founder & Chief Technology Officer

In this second entry of our Assessment Series we explore what a HIPAA Risk Assessment is and why it is crucial in ensuring the safe-handling of protected health information (PHI) with the growing dependency on information technology in the Healthcare Industry and the implementation of electronic medical records (EMR).

Back in February of 2009 the HITECH (Health Information Technology for Economic and Clinical Health) Act was passed as an element of the American Recovery and Reinvestment Act to fortify the privacy and safety of PHI by including provisions to the HIPAA Standards. Among the stipulations in HITECH was the HIPAA Security Rule which has requirements organized into three classifications, and within each classification are 18 standards and 36 implementation specifications that are categorized as “Required” or “Addressable”. The Required specifications are crucial and necessities to be implemented; whereas, Addressable specifications are meant for scalable consideration based on individual and entity needs and best practices.

The Three Classifications

1. Administrative Safeguards

These constitute more than half of the HIPAA Security Assessment requirements. As with all three standards, compliance will mandate an evaluation of the security controls in place already, a precise and in-depth analysis, and a succession of documented solutions derived from a multitude of factors unique to each covered body.

These safeguards are broken down as follows:

Standard: Security Management Process

The intent is to create the administrative processes and operations that a covered body will utilize to enact the security program in its environment.

Implementation Specifications

  1. Risk Analysis (Required)
  2. Risk Management (Required)
  3. Sanction Policy (Required)
  4. Information System Activity Review (Required)

Standard: Assigned Security Responsibility

The goal is to recognize who will hold responsibility for ensuring that the covered body abides by the HIPAA Security Rule. There are no implementation standards for this standard.

Standard: Workforce Security

The objective is to identify each workforce member that necessitates access to ePHI and their need, time of need, and how they are going to control access to the information.

Implementation Specifications

  1. Authorization and/or Supervision (Addressable)
  2. Workforce Clearance Procedure (Addressable)
  3. Termination Procedures (Addressable)

Standard: Information Access Management

Meant to restrict access to solely persons with a need for specified ePHI.

Implementation Specifications

  1. Isolating Health Care Clearinghouse Functions (Required)
  2. Access Authorization (Addressable)
  3. Access Establishment and Modification (Addressable)

Standard: Security Awareness and Training

Training for all new and current members of the entity’s staff is mandated by the Security Rule.

Implementation Specifications

  1. Security Reminders (Addressable)
  2. Protection from Malicious Software (Addressable)
  3. Log-in Monitoring (Addressable)
  4. Password Monitoring (Addressable)

Standard: Security Incident Procedures

Implemented to call attention to security occurrences within the covered body’s environment.

Implementation Specifications

  1. Response and Reporting

Standard: Contingency Plan

Necessitates to plan and establish strategies for retrieving access to ePHI if an entity where to experience a crisis or occurrence that disrupts urgent business operations.

Implementation Specifications

  1. Data Backup Plan (Required)
  2. Disaster Recovery Plan (Required)
  3. Emergency Mode Operation Plan (Required)
  4. Testing and Revision Procedures (Addressable)
  5. Applications and Data Criticality Analysis (Addressable)

Standard: Evaluation

Requires entities to create a process to review and maintain standard security measures to comply with The Security Rule. There are no implementation specifications for this standard.

Standard: Business Associate Contracts and Other Arrangements

States that covered bodies are required to sign a contract or other agreement that meet the definition of a “business associate.” This standard has no implementation specifications.

2. Physical Safeguards

These safeguards are meant to evaluate and implement all physical access to ePHI.

These are broken down as follows within a HIPAA Security Assessment:

Standard: Facility Access Controls

Enacted to limit the access to the electronic information systems where ePHI is housed.

Implementation Specifications

  1. Contingency Operations (Addressable)
  2. Facility Security Plan (Addressable)
  3. Access Control and Validation Procedures (Addressable)
  4. Maintenance Records (Addressable)

Standard: Workstation Use

Requires that entities clarify the proper uses to be done by electronic computing devices. There are no implementation specifications for this standard.

Standard: Workstation Security

Addresses the operations and procedures for how workstations should be utilized and secured from unauthorized persons. There are no implementation specifications for this standard.

Standard: Device and Media Controls

This covers the correct handling of electronic media including removal, receipt, backup, storage, reuse, disposal, and responsibility.

Implementation Specifications

  1. Disposal (Required)
  2. Media Re-Use (Required)
  3. Accountability (Addressable)
  4. Data Backup and Storage (Addressable)

3. Technical Safeguards

A covered body is mandated to determine the security protocol and specified technologies that are appropriate for implementing in its organization while complying with these safeguards which are broken down according to the HIPAA Security Assessment as follows:

Standard: Access Control

Required to provide/restrict persons with the access necessary for the information systems, applications, programs, or files associated with ePHI.

Implementation Specifications

  1. Unique User Identification (Required)
  2. Emergency Access Procedure (Required)
  3. Automatic Logoff (Addressable)
  4. Encryption and Decryption (Addressable)

Standard: Audit Controls

This standard is meant to be useful for the records and examinations of information system activity, particularly in a security violation.This standard has no implementation specifications.

Standard: Integrity

This standard requires that policies and processes are implemented to protect ePHI from being altered or destroyed.

Implementation Specifications

  1. Mechanism to Authenticate Electronic Protected Health Information(Addressable)

Standard: Person or Entity Authentication

This standard confirms that a person is who they are claiming to be before being granted the access to ePHI. This standard has no implementation specifications.

Standard: Transmission Security

This standard is utilized to guard against those who are not granted permissions to ePHI that is being communicated over electronic means.

Implementation Specifications

  1. Integrity Controls (Addressable)
  2. Encryption (Addressable)

In summary, when doing your own HIPAA Security Assessment, keep in mind that this applies to all media types including oral, paper, and electronic while simultaneously considering integrity, confidentiality, and availability. There are many HIPAA Security Assessment tools and services that have been released but no one is more highly regarded in this space than Datica as a HIPAA compliance authority.

Did you miss our first post in the HIPAA Assessment Series? Check it out here!

tag HIPAA Company


Learn what it takes to be compliant on the cloud with our free self assessment

Kris Gösser

Chief Marketing Officer

The biggest barrier to a successful cloud compliance program is simply the complexity of understanding everything. This new compliance self-assessment worksheet will help.

event-note July 12, 2018

Assessment Series: HIPAA Risk Assessment

Travis Good, MD

Co-founder & Chief Technology Officer

All organizations that are responsible for PHI are mandated to conduct a HIPAA risk assessment as the first step toward attaining true HIPAA compliance.

event-note June 9, 2015

Assessment Series: HIPAA Compliance Assessment

Travis Good, MD

Co-founder & Chief Technology Officer

The HIPAA Compliance Assessment was created to help meet the objectives of HIPAA while also providing insights into possibilities for streamlining processes and lowering costs.

event-note June 24, 2015