HIPAA-HITECH Data Security and Privacy Expert

HIPAA HITECH Compliance Advisors and Data Mountain

The HIPAA Security Final Rule requires every covered entity (CE) and now, due to the HITECH Act, every Business Associate (BA) to conduct a risk analysis (CFR §164.308(a)(1)(ii)(A)) to determine security risks and implement measures “to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level.” Additionally, completing this HIPAA risk analysis is a core requirement of Meaningful Use.

From a very practical perspective, what one ultimately seeks to develop by completing a HIPAA risk analysis is a prioritized list of security risks that need to be addressed with a risk mitigation action based on an informed decision. The classic formula for calculating risk is: Risk = Impact * Likelihood

The Security Rule9, reinforced by the HITECH Act, requires a CE and a BA, in accordance with the security standards general rules (CFR §164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.”

The security standards include general requirements to:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information the CE or BA creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy rule
• Ensure compliance with this law by its workforce

The standards are flexible in regards to approach:

• CEs and BAs may use any security measures that allow the CE to reasonably and appropriately implement the standards and implementation specifications as specified in this law
• In deciding which security measures to use, a CE or BA must take into account the following factors:
  • The size, complexity, and capabilities of the CE or BA
  • The CE’s or BA’s technical infrastructure, hardware, and software security capabilities
  • The costs of security measures
  • The likelihood and impact of potential risks to electronic protected health information

In applying flexibility, however, the preamble to the Security Rule states, “Cost is not meant to free covered entities from this [adequate security measures] responsibility.”

As required by the HITECH Act, the Office of Civil Rights, within the Department of Health and Human Services (HHS), has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. The following excerpts provide an overview of this guidance:

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 CFR § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard.

Section 164.308(a)(1)(ii)(A) states:

RISK ANALYSIS (Required).

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

Because many small clinics, medical practices or business associates do not have a full-time information technology person not to mention a chief information officer, system and information owners, business and functional managers, information technology (IT) security analysts, etc., the risk analysis should be completed by a combination of outside HIPAA-HITECH Security specialists, practice management staff, the clinical staff and business leaders and managers.