HIPAA Security Rule

Comprehensive HIPAA Security Rule Risk Analysis

The requirement for conducting a comprehensive risk analysis is found in the HIPAA regulations at 45 C.F.R. §164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the Privacy Standard and implementation specifications in the Security Rule.  Therefore, a risk analysis is foundational and must be understood in detail before a Covered Entity can proceed with developing a workable HIPAA Privacy and Security Compliance Plan. The risk analysis must be conducted so that the Covered Entity can specifically address the necessary safeguards and technologies that will best protect electronic health information (e-PHI).  All e-PHI created, received, maintained or transmitted by the Covered Entity is subject to the HIPAA Security Rule.

This first step in HIPAA compliance is to determine the current degree of HIPAA readiness by conducting an assessment of all systems, policies, procedures, forms, and practices — and accompanying it with a security risk analysis.  We look closely at the physical security situation and review software applications for technical and electronic security problems.  We typically devote a minimum of a full day on-site in order to discuss with the Privacy/Security Officer, the IT employee or consultant, and other germane staff members, the overall flow of patient’s protected health information (“PHI”) – electronic or not – within the facility, the various circumstances under which the facility typically uses, discloses or electronically transmits PHI and the various aspects of physical security within the facility.

The Security Rule requires Covered Entities to evaluate risks and vulnerabilities in your environment and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI.  Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.  The purpose of a risk assessment is to identify conditions where e-PHI could be disclosed without proper authorization, improperly modified, or made unavailable when needed.  This information is then used to make risk management decisions on whether the HIPAA-required implementation specifications are sufficient or what additional addressable implementation specifications are needed to reduce risk to an acceptable level.

The Security Management Process standard in the Security Rule requires Covered Entities to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).)

If your facility is in attempting to achieve and collect the “meaningful use” incentive payouts, then Demonstrating Meaningful Use of an Electronic Health Record (EHR) requirement mandates that organizations must, “implement systems to protect the privacy and security of patient data.”  Organizations seeking to demonstrate HITECH Meaningful Use must meet the requirements of Core Measure #14:  “conduct or review a security risk analysis and implement security updates as necessary, and correct identified security deficiencies.”  The Centers for Medicare & Medicare Services (CMS) introduced rules to implement provisions of ARRA to provide incentive payments for the meaningful use of certified Electronic Health Record (EHR) technology.  Further, meaningful use has an impact on HIPAA and HITECH mandates.  The HCR Risk Assessment will meet the requirement that reflects CMS’s strong mandates for privacy and security compliance which must be addressed.

HIPAA Privacy Rule and Security Rule Manual (with up to date forms to comply with 2013 Omnibus Rule)

Background:  After April 14, 2003, HIPAA’s Privacy Rule has been the law.  Joining in on April 20, 2005 was HIPAA’s Security Rule dealing primarily with electronic health information.  These provisions have been the framework for the federal government supervision of the privacy and security of so-called protected health information (“PHI”).  On February 17, 2009, with the enactment of the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), the rules of the game substantially changed.  Then on January 25, 2013, the Federal Register published the final omnibus rules written by the U.S. Department of Health and Human Services (HHS) to modify the HIPAA Privacy, Security, Breach Notification and Enforcement Rules.  The modifications implement most of the privacy and security provisions of the HITECH Act and relevant provisions of the Genetic Information Nondiscrimination Act.  The compliance deadline for virtually every provision of these rules was September 23, 2013.

While the framework of the Health Insurance Portability and Accountability Act (HIPAA) has been retained, there is broader coverage and increased burdens.  The Act adds privacy and security provisions and a penalty to business associates in the same manner such sections apply to a covered entity.  Civil and criminal penalties shall apply to business associates in the same manner as covered entities.  The Omnibus Rule also imposes a heightened notification requirement in the event of a breach.

Healthcare Compliance Resources can develop and provide to any Covered Entity a comprehensive HIPAA Compliance Manual with policies, procedures and forms to cover both the HIPAA Privacy Rule and the HIPAA Security Rule.  Our Manual will also include all the regulatory changes which were required as of September 23, 2013 due to the mandated requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (the HITECH Act) solidified by the Omnibus Rule.

Specifically, HCR will write new policies and procedures to address the following areas:

  • the new obligation to give notice to the patient, to HHS, and in some cases, to the local media, in case of the unauthorized acquisition, access, use or disclosure of PHI;

  • the new requirement that a Covered Entity agrees to a patient’s request to restrict disclosure of PHI made to a health plan where the PHI involved pertains solely to an item or service for which the Covered Entity has been paid in full, out-of-pocket by the patient;

  • the changed requirement that, when disclosure is subject to the “minimum necessary” requirement, it must be limited to the extent practicable, to a “limited data set”, and only “if needed” by the Covered Entity, to the minimum necessary to accomplish the intended purpose standard;

  • the new requirement applicable to all Covered Entities when using electronic health records (“EHR’s”) to account to patients for disclosures made through the EHR for treatment, payment and health care operations (but only for three (3) years prior to the date the accounting is requested);

  • new specific prohibitions on the sale of PHI;

  • disaster recovery, business continuation,  and contingency planning protocols;

  • the new requirement that the Covered Entity will provide information in electronic format to a patient upon a request for access to the patient’s designated record set;

  • additional restrictions on communications for marketing and fund-raising purposes; and, in addition, HCR will write:

    – the Notice of Privacy Practices to explain the changes mandated by the Health Information Technology for Economic and Clinical Health Act of 2009.

    – Business Associate Contract template (Agreements) to comply with the mandated changes affected by the HITECH Act.

    – Confidentiality Agreements for your use where you deem necessary, i.e., medical supply representatives, pharmaceutical representatives, janitorial contractors, and new employees.