Security management process is the foundation for compliance with HIPAA Security Rule

Security management process can be an organization’s biggest strength or biggest weakness, and most organizations lack one or all of the components that establish a security management process. In a Health Care Compliance Association (HCCA) webinar entitled, “Is Your Security Management Process Your Biggest Risk?” presenters Kezai Cook-Robinson and Ahmad M. Sabbarini of Ernst & Young LLP emphasized that a security management process is the foundation for an organization’s compliance with the Health Insurance Portability and Accountability Act’s (HIPAA) (P.L. 104-191) Security Rule.

Under 45 C.F.R. Sec. 164.308(a)(1) a covered entity or business associate is required to implement policies and procedures to prevent, detect, contain, and correct security violations. This process requires covered entities and business associates to implement standards and required implementation specifications and to implement, when appropriate and reasonable, addressable implementation specifications through risk analysis, risk management, sanction policy, and information system activity review.

Risk analysis

Covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. This means, said the presenters, that covered entities and business associates must conduct an enterprise-wide risk analysis and develop a current, comprehensive, and thorough risk analysis of security risks and vulnerabilities to include the electronic personal health information (e-PHI) created, received, maintained, or transmitted by the organizations’ facilities and applications. This should be done periodically (calendar-based) and in response to events (event-based triggers).

As part of the risk analysis, organizations should conduct a comprehensive inventory of e-PHI. Assets can be grouped into a common grouping for purposes of the inventory—for example, if work stations have the same number and type of e-PHI, they can be grouped into one asset category. In addition, to save time and money, organizations should start with lists that have already created from financial statements and privacy compliance activities.

Risk management

Covered entities and business associates should establish and implement an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities found in the risk analysis. It should include a process and timeline for an organization’s implementation, evaluation, and revision of its risk remediation activities. The presenters noted that the higher the risk, the more robust controls are needed.

Sanctions policy and information system activity review

The security management process also requires covered entities and business associates to apply appropriate sanctions against workforce members who fail to comply with security policies and procedures and to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Documentation

“Document, document, document,” said Cook-Robinson, because “it does not exist unless it’s in writing.” She advised that covered entities and business associates document and keep as records the analyses, decision making, and rationale for overall risk assessments, as well as individual risk analyses for implemented safeguards.

NIST guidelines

Cook-Robinson and Sabbarini also advised organizations to align as necessary with the guidelines and frameworks that HHS leverages, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF) and NIST 800-30.

Kusserow on Compliance: New HIPAA risk analysis tool released

The HHS Office for Civil Rights (OCR) and Office of the National Coordinator of Health Information Technology (ONC) released a new jointly developed downloadable Security Risk Assessment (SRA) Tool to assist providers and professionals to perform HIPAA compliance risk assessments. It was designed primarily for small and medium-sized covered entities and business associates. The Tool is a self-contained, operating system (OS) independent application that is available at no cost, can be downloaded from Apple’s App Store. It guides users through each HIPAA requirement by presenting questions answerable as “yes” or “no” to indicate if there is a need for corrective action for any of the 156 question items. Guidance provides assistance in:

  • Understanding the context of the question
  • Considering the potential impacts to your PHI if the requirement is not met
  • Seeing the actual safeguard language of the HIPAA Security Rule

The Tool can serve as the local repository for the information and does not send your data anywhere else. At any time during the risk assessment process, you can pause to view your current results. The results are available in printable PDF and Excel formats. For details on how to use the tool, download the SRA Tool User Guide. A paper-based version of the tool is also available:

Camella Boateng, an experienced HIPAA consultant, makes the point that “Covered Entities and Business Associates are not mandated to use this tool; however they are required to conduct regular, organization-wide risk analyses for HIPAA compliance. Much of my work over the last year has been assisting clients in conducting a system-wide HIPAA compliance reviews. Using the tool greatly assists in doing this. If you monitor the OCR website, it is clear from the many recent HIPAA enforcement actions that many organizations have not performed such analyses properly.”

Suzanne Castaldo, JD, notes, “OCR can be counted upon to include review of risk analyses of organization during the Phase 2 HIPAA audits and that results from these reviews will result in many Business Associates being notified of having a desk audit before the end of this year. OCR plans following up with field audits for both Covered Entities and Business Associate beginning in 2017 that will have twin objectives of learning more about HIPAA compliance in general, as well as having some of the audits finding cases that warrant becoming enforcement investigations of HIPAA violations.”

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2016 Strategic Management Services, LLC. Published with permission.