The Security Rule: How to Manage Adherence
Presented by: Raymond F. Ribble, President, SPHER, Inc.
A joint Data Breach Study from IBM and The Ponemon Institute estimates the average cost of a healthcare data breach to be $3.86 million, with the average cost per lost or stolen record at $148. The report further predicts the likelihood of a healthcare organization experiencing a breach within the next two (2) years to be extremely high. Associated studies from the FBI and past law enforcement reports indicates the average breach was not identified until passage of more than 360 days. The resulting cost and damage to an organizations business model, it’s reputation, and the obvious patient privacy violations often prove too daunting to be overcome leading to practice failure and bankruptcy.
During the 2019 ADAM Annual Conference presentation of The Security Rule: How to Manage Adherence, by SPHER Inc.’s President, Raymond Ribble, the background necessary to understand the HIPAA guidelines and a narrative of HIPAA Security Rule compliance was reviewed for ADAM members.
The Security Rule sets the minimum standards required for Covered Entities (CE) to manage electronic PHI (ePHI). During the ADAM presentation the need to conduct and document a Security Risk Assessment (SRA) (see figure 1.) was stressed. To maintain HIPAA compliance, CEs need to address three (3) key Security Risk Assessment safeguards: Administrative, Physical, and Technical.
The HIPAA Security Rule administers the following safeguards:
Defined as administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI and manage employee conduct related to ePHI protection. Standards include:
Security management process — includes policies and procedures for preventing, detecting, containing, and correcting violations. A critical part of this standard is conducting a security risk analysis and implementing a risk management plan.
Assigned security responsibility — requires a designated security official who is responsible for developing and implementing policies and procedures.
Workforce security — refers to policies and procedures governing employee access to ePHI, including authorization, supervision, clearance, and termination.
Information access management — focuses on restricting unnecessary and inappropriate access to ePHI. Monitoring user access to patient ePHI.
Security awareness and training — requires the implementation of a security awareness program for the entire workforce of the CE.
Business and Associate Agreements — requires all covered entities to have written agreements or contracts in place for their vendors, contractors, and other business associates that create, receive, maintain or transmit ePHI on behalf of the HIPAA covered entity.
Defined as physical measures, policies, and procedures for protecting electronic information systems and related equipment and buildings from natural/environmental hazards and unauthorized intrusion. Standards include:
Facilities’ access control — these are policies and procedures for limiting access to the facilities that house information systems.
Workstation use — addresses the appropriate business use of workstations, which can be any electronic computing device as well as electronic media stored in the immediate environment.
Workstation security — requires the implementation of physical safeguards for workstations that access ePHI.
Device and media controls — requires policies and procedures for the removal of hardware and electronic media containing ePHI in and out of the facility and within the facility.
Defined as the technology and the policies and procedures for the technology’s use that collectively protect ePHI as well as control access to it. Standards include:
Access — refers to the ability/means to read, write, modify, and communicate the patient data and includes files, systems, and applications. Includes access procedures as well as data encryption.
Audit controls — mechanisms and tools for recording and examining user access activity pertaining to ePHI within the systems which maintain PHI.
Authentication — requires the verification of the identity of the entity or individual seeking access to the protected data.
A Download of the HIPAA Security Risk Assessment Tool is here.
Each organization has to determine what are reasonable and appropriate security measures based on its own user environment and application is use. While there is definitely a cost associated with protecting patient PHI, HHS has consistently placed an emphasis on performing annual security risk assessments and implementing mitigation plans to manage the risks.
About the Author:
Raymond F. Ribble
D: (310) 602-5140