Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.


“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.

Background checks and exclusion screening vital to provider compliance

Background checks and exclusion screening are a vital part of hiring and compliance, but there are considerable weaknesses in both processes that providers must keep in mind. In a Health Care Compliance Association (HCCA) webinar, The Critical Role of Background Checks and Exclusion Screening in Compliance & Risk Management, Paul Weidenfeld of Exclusion Screening, LLC reminded attendees that employees are both the most important business resource and biggest opportunity for risk.

Human capital risk management

Continued training and employee development can be seen as an investment, resulting in a competitive advantage of a business. Although physicians are considered the backbone of a practice, other employees have a great deal of interaction with patients and define the patient experience. Weidenfeld likened close oversight to managing human capital, which can reduce the chances of losses attributed to fraud, internal theft, absenteeism, and accidents and injuries. Risk management is a vital aspect of ensuring the financial success of a provider’s business, because about half of overall expenses come from employee salaries and benefits. Additionally, providers continue to pay high premiums for malpractice insurance—as well as insurance for general liability, privacy violations, property, and workers compensation.

Background check

During the hiring process, employers should conduct a background check to confirm the applicant’s identity, experience, and qualifications. For basic confirmation, employers can do some of their own investigating, but more in-depth background criminal and exclusion list background checks can take more resources and require outside help. However, third party background checks are subject to several regulations.

Criminal background checks are difficult to conduct thoroughly due to the lack of a single source. A federal background check must be authorized by law, and does not necessarily find everything on state, county, and municipal levels due to reporting issues. Other sources include sex offender lists, bad employee lists, terrorist watch lists, and motor vehicle databases. Compounding the issue are the differing requirements on checks and use of the information obtained. For example, federal regulations do not require a background check for home health agency (HHA) workers, but compliance with state laws is required for federal program participation. Some states require completed checks prior to employment, while some allow the check to be ongoing during the initial employment. Some states do not specify disqualifying convictions, while others allow disqualified individuals to seek a waiver.


Outside investigators are not always reliable. The U.S. Office of Personnel Management (OPM) Office of Inspector General (OIG) had debarred or referred for debarment many investigators known to have falsified reports while clearing federal job applicants for suitability or security clearances. Third-party investigators can be a serious compliance risk, shown by the $30 million settlement OPM received to resolve false claims charges after a contractor allegedly released cases to the OPM without completing them. Even if a thorough background check shows no criminal record, other information provided may be inaccurate and difficult to corroborate. Paid services will fabricate resumes, references, and even degrees to help applicants land a job.


Exclusion screening is another step that can easily trip up a provider. Hiring an employee excluded by the HHS OIG for posing risks to patient safety or financial integrity not only extends those risks to the provider’s business, but exposes the provider to overpayments when receiving reimbursements from federal health care programs. Every service furnished by an excluded person is not considered reimbursable.

The HHS OIG requires providers to screen its List of Excluded Individuals and Entities (LEIE) upon hire and then on a monthly basis. CMS requires states to in turn require Medicaid providers to screen both the LEIE and a state exclusion list, if available. Some states require providers to certify that there are no employees, vendors, or contractors that have been excluded from any state program. However, state exclusion lists are notoriously difficult to find and navigate, so providers cannot easily verify that all of these parties are in good standing.

Webinar provides triage tips for internal investigations

Health care compliance investigations are not like a fine wine, stressed Kashish Chopra—age may improve a wine, but waiting for an investigation will never make it go more smoothly. Chopra, along with former HHS Inspector General Richard P. Kusserow, both of Strategic Management Solutions, presented a webinar titled Best Practices for Internal Investigations, during which they provided pertinent information on internal investigations. The information included the goals of such investigations, key individuals who should be involved in the process, and necessary steps and precautions. They also provided listeners with a sample Protocol Policy to clarify the relationship between a compliance officer and legal counsel when they have overlapping responsibilities.

Kusserow and Chopra explained the importance of having an internal investigation program as part of a robust compliance program. Internal investigations are a form of risk management, as they can prevent costly mistakes and provide reassurance to everyone that problems and reports are taken seriously and examined carefully. The foundation of a successful investigation is to have a formalized process for everything, including even informal processes, to ensure that complaints can be received, investigated, and, if necessary, mitigated. Chopra noted that although most complaints that anonymous compliance hotlines receive are related to human relations (HR), the type of complaints that are most likely to lead to an investigation include allegations of harassment, discrimination, retaliation, privacy or security threats, theft or fraud, notice of litigation, and inquiries by government agencies or contractors.

It is important for all individuals involved in an investigation to have well-defined roles and to maintain communication and transparency. Kusserow explained how it is important, during an investigatory interview, to minimize note-taking and maintain eye contact; however, he reminded listeners to build in time between interviews to fill in gaps left by minimal note-taking to ensure adequate records are kept. They also provided tips on how to “triage” complaints—ranking tasks according to priority, which requires a quick, accurate assessment of each issue. They especially emphasized the importance of providing individuals the opportunity to report problems both confidentially and anonymously. The difference being that although anonymity is protected, there is no obligation for the compliance department to protect the job of an anonymous source, while confidential sources must be protected against retaliation.