There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of your electronic protected health information.
Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a "reasonable and appropriate" safeguard for its environment, taking into consideration how it will protect ePHI.
According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical, and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.
Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronically protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:
- Risk Assessment (R)
- Sanctions Policy (R)
- Information System Activity Review (R)
- Security Officer Assignment (R)
- Security Awareness and Training (A)
- Security Incident Procedures (R)
- Disaster Recovery and Data Backup Plan (R)
- Periodic Security Evaluations (R)
- Business Associate Contracts (R)
Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards, and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:
- Facility Access Controls (A)
- Workstation Use and Controls (R)
- Device and Media Controls (R)
Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:
- Unique User Login (R)
- Emergency Access Procedures (R)
- Automatic Logoff (A)
- Encryption and Decryption (A)
- Audit Controls (R)
- Authentication of Integrity of ePHI (A)
- Authentication of Person or Entity (R)
- Transmission Security (A)
Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and re-evaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.
About the Author
Karen Pass is a Senior Compliance Specialist and is also certified in healthcare compliance. For over the past 14 years, she has conducted thousands of safety and compliance audits and training for a variety of healthcare clients. Karen has worked in healthcare for over 25 years, more recently as a Regional Director of Operations for a national imaging company. She holds a BS from the University of Saint Francis and is registered as a medical sonographer and in radiologic technology with a certification in mammography.