This is the third part in an on-going series about the HIPAA Security Rule. So far I have discussed the following:
As I mentioned previously, the Security Rule is broken into three main parts; the administrative, physical and technical safeguards. We will now dive into the administrative safeguards.
The administrative safeguards make up 50% of the Security Rule. So if you implement the administrative safeguards you are half way done! Below is a list of the Standards, Sections and Implementation specifications.
|
Standards
|
Sections
|
Implementation Specifications
R =Required, A=Addressable
|
|
|
Security Management Process
|
164.308(a)(1)
|
Risk Analysis
|
R
|
|
Risk Management
|
R
|
||
|
Sanction Policy
|
R
|
||
|
Information System Activity Review
|
R
|
||
|
Assigned Security Responsibility
|
164.308(a)(2)
|
R
|
|
|
Workforce Security
|
164.308(a)(3)
|
Authorization and/or Supervision
|
A
|
|
Workforce Clearance Procedures
|
A
|
||
|
Termination Procedures
|
A
|
||
|
Information Access Management
|
164.308(a)(4)
|
Isolating Health care Clearinghouse Function
|
R
|
|
Access Authorization
|
A
|
||
|
Access Establishment and Modification
|
A
|
||
|
Security Awareness Training
|
164.308(a)(5)
|
Security Reminders
|
A
|
|
Protection from Malicious Software
|
A
|
||
|
Log-In Monitoring
|
A
|
||
|
Password Management
|
A
|
||
|
Security Incident Procedures
|
164.308(a)(6)
|
Response and Reporting
|
R
|
|
Contingency Plan
|
164.308(a)(7)
|
Data Backup Plan
|
R
|
|
Disaster Recovery Plan
|
R
|
||
|
Emergency Mode Operation Plan
|
R
|
||
|
Testing and Revision Procedure
|
A
|
||
|
Applications and Data Criticality Analysis
|
A
|
||
|
Evaluation
|
164.308(a)(8)
|
R
|
|
|
Business Associate Contracts & Other Arrangements
|
164.308(b)(1)
|
Written Contract or Other Arrangement
|
R
|
I am going to take the rest of this article to discuss just the Security Management Process and more specifically the Risk Analysis and Risk Management implementation specifications. I believe the whole foundation of the HIPAA Security Rule is based on the Risk Analysis and Risk Management implementation specifics.
Keeping in mind that the principle behind HIPAA is protecting patient information, it is important to determine where patient information resides and determine what risks could potentially prevent you from protecting the information. Once you determine where the patient information resides and what the risks to protecting it are, you can then put in place procedures that will reduce these risks and strengthen your ability to protect the information.
To further illustrate the point, let’s apply the Security Management process to your house. Your house protects you and your family as well as your possessions; let’s call all of these your valuables. In order to protect your valuables you need to know the inventory of your valuables. While you probably won’t forget your spouse and kids, you may not remember the gold watch tucked away in your dresser drawer. So the first step should be to write down all of your valuables. Once you have a complete inventory of your valuables you need to determine the importance of them to you. Let’s break the importance into three categories; high, medium and low. Most likely your family ranks at the top of your importance list and would fall into the high importance category. The gold watch may have a significant financial value or may be a gift from someone making it important but not nearly as important as your family. Let’s put the gold watch into the medium category. Your mailbox may be on the list but of very little importance. If anything were to happen to your mailbox you can easily replace it with minimal financial impact so we will put that in the low category. So now you have a complete list of all your valuables and you have assigned an importance category to each of them. The next step is to determine the potential threats to your valuables.
No matter where you live the threat of crime always exists. If you live in a low crime area the threat may be lower but conversely if you live in a high crime area the threat could be very real. Once again we will break each threat into a category of high, medium or low. A flood is another threat to your valuables. If you live by a river or lake the threat of a flood could be high. A hurricane could be another threat but if you live in Kansas the threat is probably very low. At the end of this process you have a list of all potential threats to your valuables as well as the likeliness of the threat occurring.
Now you take the list of your valuables that are categorized by their value to you and you take the threats and their likeliness of occurring and you have identified where you need to focus your attention. If your family is of high value and the threat of crime is high, you will spend a lot of attention on securing your house. This could entail adding additional locks to your doors or installing a security system. On the other hand, your mailbox is of low value so you may choose not to worry about adding any addition security other than securing it to a mailbox post. Your home security management process is complete when you go through the list of your valuables and have implemented steps to protect them from the potential medium and high threats.
The process of protecting your valuables is the exact process that the Security Rule calls for in regard to protecting EPHI. Determine where your EPHI resides. Like the home illustration, you probably won’t forget your EMR (i.e. family) but EPHI may reside in email or digital x-rays on a network share (i.e. the gold watch). Make sure you have a complete list of all your EPHI and write it down. Categorize the importance of the EPHI. As a rule of thumb I like to say that the more EPHI you have in a system and the more people that access the EPHI, the higher the importance of the system (high category). The lower the EPHI and the less amount of people accessing the system the lower the importance of the system (low category). Another rule of thumb, if the system contains very important or highly confidential information then the system would fall into the high category. Conversely, if the system is encrypted or requires special software to access the EPHI then this would lower the category of the system. Next step is to identify the threats to your EPHI and categorize the likeliness of the threat occurring.
The loss of EPHI is always something to be concerned about (high category). In addition fire, flood or a natural disaster are other threats to consider. Once again each of these threats need to be categorized with the likeliness of the threat occurring.
The final Security Management step is to implement procedures to protect your EPHI against the medium or high potential threats. Let’s look at a few threats and some steps to strengthen your ability to protect your EPHI:
|
Threat
|
Steps to prevent threat
|
|
Loss of EPHI (employee accidentally deletes EPHI)
|
Ensure you have an up to date backup of the EPHI
|
|
Loss of EPHI (disgruntled former employee accesses and destroys EPHI)
|
Ensure you have a valid backup and disaster recovery plan. Implement employee termination procedure that removes physical and network access
|
|
Theft of EPHI (hacker penetrates your network and accesses EPHI)
|
Ensure your network is protected by a firewall; virus protection is up to date; systems have strong password protection, etc.
|
|
Loss of electrical power
|
Ensure you have a disaster recovery plan; install Uninterrupted Power Supplies (UPS) or install a backup generator
|
What you will notice is that after the Security Management process, the rest of the Security Rule is all about minimizing the potential risks to your EPHI. Each of the Steps to prevent threat listed in the above table is a specific Standards and/or Implementation Specifics in either the Administrative, Physical or Technical safeguards of the Security Rule.
In future posts, I will go over the rest of the administrative safeguards as well as discuss the physical and technical safeguards.
Related posts:
