ONC offers 7 steps to HIPAA security

Covered entities (CEs) concerned about compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191) Security Rule should consider following a seven-step compliance approach recommended by the Office of the National Coordinator for Health Information Technology (ONC).  In its recently published Guide to Privacy and Security of Electronic Health Information, the ONC provided valuable information to CEs, including information specifically targeted at eligible professionals (EPs) from smaller organizations enrolled in the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs, regarding the integration into their practices of federal health information privacy and security requirements.  The HIPAA Security Rule requires CEs and their business associates (BAs) to assess and manage risks to any electronic protected health information (ePHI) that they create, receive, maintain, or transmit. The suggested seven-step procedure for implementing a security management process is intended to help CEs fulfill their compliance responsibilities.

1. Lead your culture, select your team, and learn

The ONC  urges organizations to:

  • designate a security officer to develop and maintain security practices, even if it is a person who will perform a dual role, being sure to record the assignment in a HIPAA compliance documentation file;
  • discuss HIPAA security requirements with EHR developers and be sure to sign a Business Associate Agreement (BAA) that reflects the entity’s expectations;
  • consider hiring a qualified professional to assist with the security risk analysis.  The ONC cautions, however, that the CE is still responsible for the overall analysis and that CEs should only deal with professionals with experience tailoring and performing risk analyses for similarly situated entities;
  • use tools to preview the security risk analysis; and
  • refresh their knowledge of HIPAA rules to promote a culture of protecting patient privacy and securing patient information.

2. Document your process, findings, and actions

The guidance provides examples of records that should be retained under HIPAA, including:

  • completed security checklists;
  • a security risk analysis report;
  • EHR audit logs; and
  • a risk management action plan.

The records will be “essential” for responding to HIPAA and EHR compliance audits.

3. Review existing security of ePHI by performing a security risk analysis

Failure to perform a security risk analysis is a significant problem among entities audited for both HIPAA and EHR program compliance. Failure to perform an effective analysis is also a pervasive issue among CEs.  The ONC urges practices to tailor the risk analysis to their specific situation.  Entities should identify:

  • where ePHI exists;
  • potential threats and vulnerabilities to ePHI, including, human, natural, and environmental threats; and
  • risks and their associated levels.

The Guide provides a useful table of examples of risks that are specific to office-based EHRs–such as older security features–versus internet-hosted (cloud-based) EHRs–such as data stored in countries with different health information privacy and security laws.

4. Develop an action plan

Action plans should incorporate HIPAA’s administrative, physical, and technical safeguards, as well as organizational standards and policies and procedures.  The guide contains a table listing examples of vulnerabilities and mitigation strategies for each component.  The ONC suggests that simple safeguards can be highly effective, such as randomly monitoring staff access (a policy), checking EHR servers for viruses and malware (a technical safeguard), and refusing to allow staff to take home laptops with unencrypted information (an administrative safeguard).  Unencryption is responsible for a significant portion of data breaches.  Former HHS regulator Adam Greene recently suggested that the government is “losing patience” with data breaches resulting from loss of ePHI from unencrypted laptops and believes it will start fining entities heavily for such violations.

5. Manage and mitigate risks

Mitigation is crucial to HIPAA compliance. The HHS Office for Civil Rights (OCR) has fined entities, including Concentra Health Services, heavily when breaches resulted after entities failed to act on known risks.  Among other issues, written policies and procedures should establish protocols for security components, create “incident response” or “breach notification and management” plans, detail a sanction policy for violations of the Security Rule, as well as for the HIPAA Privacy and Breach Notification Rules, and list enforcement procedures.  Entities should:

  • consistently apply policies and procedures if unauthorized ePHI access occurs;
  • review policies and procedures periodically and update them when changes creating new risks occur;
  •  retain all policies and procedures for at least six years after updating or replacing them, although state laws may be more stringent;
  • train new employees in security policies upon hiring, and train the entire workforce once every year and any time changes in the organization occur, including those affecting policies or procedures;
  • be proactive in providing patients with information regarding EHR benefits and access to PHI and ePHI.  The EHR programs have strict requirements regarding responses to patients’ requests for records; and
  • update BAAs.

6. Attest for meaningful use security-related objective

In order to attest to meaningful use in the EHR incentive programs, users must have fulfilled the security risk analysis requirement.  This means that users must not only have executed the analysis or reassessment, but must also have corrected deficiencies that were identified.  Failure to do so can prevent entities from receiving incentive payments or result in requiring them to return incentive payments.  Notably, the ONC suggested in its Guide that attesting to meaningful use prior to meeting the security requirement could subject an entity to liability under the False Claims Act (31 U.S.C. §3729).

7. Monitor, audit, and update security on an ongoing basis

Entities should be prepared to “audit” the effectiveness of their security systems by performing in-house audits or using an information security consultant.  They should also prepare for audits by government agencies.  EHR users should maintain audit logs, which contain retrospective documentation on the manner in which all ePHI has been accessed.  Audit controls should be scaled to practice size.


With entities potentially facing both HIPAA compliance audits from the OCR and meaningful use audits from CMS and the HHS Office of Inspector General (OIG), there has never been a better time for organizations to be sure that patients’ ePHI is secure.