HIPAA Security Rule and Security Risk Assessments in Healthcare

By Art Gross, President and CEO, HIPAA Secure Now!
LinkedIn: Art Gross
LinkedIn: HIPAA Secure Now!
Read other articles by this author

While the Health Insurance Portability and Accountability Act (HIPAA) is all about protecting patient privacy, the Privacy Rule is just one of five areas of regulation. When it comes to annual requirements, the other heavy hitter is the Security Rule, which focuses on securing technology. This blog explores the key aspects of the HIPAA Security Rule and its implications for covered entities and business associates.

Understanding HIPAA Security Rule Applicability

The Security Rule applies to various entities involved in healthcare transactions, including:

  • Covered Healthcare Providers: Those providing medical or health services and transmitting health information electronically.
  • Health Plans: Individual or group plans covering medical care costs, including health insurance issuers and government programs like Medicare and Medicaid.
  • Healthcare Clearinghouses: Entities processing healthcare transactions from standard to non-standard formats.
  • Business Associates: Individuals or entities performing functions or activities involving the use or disclosure of ePHI on behalf of a covered entity.

Security Rule Goals and Objectives

The Security Rule outlines specific goals and objectives to ensure the protection of ePHI. Regulated entities must:

  • Ensure the confidentiality, integrity, and availability of all ePHI.
  • Protect against reasonably anticipated threats and hazards to ePHI security.
  • Safeguard against uses or disclosures not permitted by the Privacy Rule.
  • Ensure compliance with the Security Rule by their workforce.
  • Covered entities are obligated to obtain written agreements from business associates regarding the protection of Protected Health Information (PHI). Flexibility in approach allows customization based on organizational size, complexity, and technical capabilities.

Security Rule Organization

The Security Rule is organized into six main sections, each addressing different aspects of security:

  1. Security Standards: General Rules: Establishes general requirements, flexibility of approach, and decisions on addressable implementation specifications.
  2. Administrative Safeguards: Manages the selection, development, and implementation of security measures.
  3. Physical Safeguards: Ensures protection against natural and environmental hazards and unauthorized intrusion.
  4. Technical Safeguards: Governs technology, policies, and procedures for protecting ePHI and controlling access.
  5. Organizational Requirements: Includes standards for business associate contracts and arrangements.
  6. Policies and Procedures and Documentation Requirements: Mandates the implementation of policies, documentation, and retention requirements.

Implementing Security Rule Standards

Regulated entities must comply with all Security Rule standards, including working towards recommendations throughout the year. Recommendations can be either required or addressable, with the latter requiring a reasonable and appropriate safeguard assessment.

In conclusion, the HIPAA Security Rule provides a robust framework for safeguarding ePHI. Covered entities and business associates must navigate its intricacies to ensure compliance, adaptability, and, most importantly, the secure handling of electronic health information.

How to Prepare for a Security Risk Assessment in Healthcare

More than just a mandatory HIPAA requirement, Security Risk Assessments are critical to ensuring the security of your healthcare organization. As cyber threats evolve, so must our strategies to safeguard electronic Protected Health Information (ePHI).

In this blog, we’ll navigate through the steps involved in a comprehensive risk assessment, empowering covered entities and business associates to better understand Security Rule regulations and put them into action.

1. Prepare for the Assessment
Before embarking on a risk assessment, be sure to define the following:

  • Scope: the specific areas under evaluation, or more simply put, anywhere that PHI is created, received, maintained, processed, and transmitted. It encompasses facilities, individuals, systems, and equipment where Protected Health Information (PHI) is involved. The scope acts as a boundary, clearly outlining what components are included in the assessment, streamlining the audit process.
  • PHI: involves identifying its origin (e.g., information received via phone in a telehealth organization), its storage location (e.g., an Electronic Medical Record or EMR system), and the processes involved in its handling and transmission. This knowledge is pivotal for a thorough assessment of security risks.
  • Asset Inventory: both physical assets such as laptops, phones, and servers, as well as non-physical assets like cloud-based Electronic Medical Records (EMR). This inventory is crucial for evaluating and managing security risks associated with diverse elements within an organization.

2. Identify Reasonably Anticipated Threats
List potential threat events and sources relevant to your operating environment. Consider both human and natural incidents that could compromise the confidentiality, integrity, and availability of ePHI. Whether it’s phishing, ransomware, or insider threats, a thorough identification process sets the foundation for a robust risk assessment.

3. Identify Potential Vulnerabilities and Predisposing Conditions
For each threat identified, ascertain the vulnerabilities or predisposing conditions that could be exploited. This involves a detailed exploration of weaknesses in information systems, security procedures, and internal controls. The aim is to understand the conditions that might increase the likelihood of a threat event causing adverse impacts.

4. Provide Detailed, Honest Information to Your Auditor
Work with a compliance professional to gain thorough, objective insight into your organization’s current security measures. This professional will evaluate the likelihood, impact, and risk level of different vulnerabilities becoming exploited. This step provides a clear understanding of the risk landscape and informs subsequent risk management strategies.

5. Document the Risk Assessment Results
Once the risk assessment is complete, document the results, including all threat/vulnerability pairs, likelihood and impact calculations, and overall risk levels. This documentation serves as a crucial reference for ongoing risk management and facilitates communication with organizational leadership.

Risk Assessment as an Ongoing Activity

Understanding that threats evolve, vulnerabilities change, and mitigation strategies adapt, we emphasize that a truly comprehensive risk assessment is not a one-time task. It’s a dynamic, ongoing activity that requires periodic updates to ensure risks are continuously identified, documented, and effectively managed.

With healthcare ranking as the third most targeted field for cyber attacks, risk assessments are key to mitigating increasing risks and ensuring the resilience of your organization. Over time, you can look back and be proud of all the progress that your organization has made, and honor that commitment that you’ve made to protecting patient privacy.

These two articles was originally published on HIPAA Secure Now! and are republished here with permission.