The HIPAA Security Final Rule, reinforced by the HITECH Act, requires every CE and BA, in accordance with the security standards general rules (§164.306), to have a security management process in place “to implement policies and procedures to prevent, detect, contain, and correct security violations.” Here’s today’s big tip – Know the letter and the intent of the regulations; specifically, in this case, know what is required for Risk Analysis and Risk Management. Here’s how…
The security standards include general requirements to:
- Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the CE or BA creates, receives, maintains, or transmits
- Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
- Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy rule
- Ensure compliance with this law by its workforce
The standards are flexible in regards to approach:
- CEs and BAs may use any security measures that allow them to reasonably and appropriately implement the standards and implementation specifications, as specified in this law
- In deciding which security measures to use, a CE or BA must take into account the following factors:
- The size, complexity, and capabilities of the CE or BA
- The CE’s or BA’s technical infrastructure, hardware, and software security capabilities
- The costs of security measures
- The relative magnitude or levels of risks to EPHI
In applying flexibility, however, the preamble to the Security Rule states, “Cost is not meant to free covered entities from this [adequate security measures] responsibility.” So, be careful crying poor!
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions for implementation of the Security Management Process standard.
Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016