HIPAA Security Rule - January 2014

The HIPAA Security Rule: Get Serious About Compliance The Office for Civil Rights (OCR) 2014 audits are here. The September 23, 2013 HIPAA Omnibus Final Rule compliance date is past. If you have not fully complied, we suggest you comply now. Under the Final Rule, HIPAA penalties were increased and can now be as high as $50,000 per violation, capped at $1,500,000.00 per year for identical violations. These penalties can also be stacked during the same year for different types of violations. Every covered entity (CE) and business associate (BA) is eligible for an OCR audit. It is possible that OCR may be targeting BAs in 2014 because BAs may have more compliance problems than CEs do and are at risk for more breaches than they should be. Is your organization prepared for a 2014 OCR audit? Have you met the audit protocol requirements for administrative, physical, and technical safeguards? If your organization has not completed a HIPAA Security Rule compliance evaluation within the past year, you should begin the following immediately to prepare for a possible OCR audit:

• Complete a HIPAA Security Evaluation
• Complete a HIPAA Security Risk Analysis
• Establish formal policies and procedures to ensure a Security Risk Management Program
• Document and act upon a corrective action plan 

Key Points of the HIPAA Security Regulation

1. All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule, which requires CEs and BAs to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of electronic protected health information (ePHI).
2. The HIPAA evaluation safeguard (164.308) clearly mandates that an organization "Conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the CE or the BA."
   • Prepare an action plan
   • Conduct this annually or when organizational changes take place such as:
     • A new patient accounting system
     • Turnover in key positions in the organization
     • New implementation of electronic health records
   • Document all results
     • Include security measures in place to address each safeguard in the form of  "policies and procedures" that direct employees how to comply with HIPAA Security regulations.
     • Implement a risk management program sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to ensure compliance.
     • There are exceptions. If your organization chooses not to implement an addressable safeguard (not optional), you must clearly document the reason behind your decision. Be sure to have mitigating controls in place to address any associated risks.
     • Select as "security official" to oversee the development, implementation, monitoring, and communication of all ePHI in the organization. Assign and document this individual's responsibility.
   • Based upon this assessment, your organization must perform risk management activities to "Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level."

The Security Rule identifies "Risk Analysis" as the foundational element in the process of achieving compliance. HIPAA Risk Analysis Requirements include:

1. Identify
   • All ePHI within your organization that you create, receive, maintain, or transmit.
     • Inventory and document all of the organization's assets the contain ePHI. (Computers (laptops, servers, electronic health records system, any other electronics that store, process, or transmit ePHI.)
   • External sources that manage ePHI such as: vendors, consultants who create, receive, maintain, or transmit ePHI.
   • Human, natural, and environmental threats to information systems that contain ePHI.
     • Human threats: enabled or caused by humans: network and computer based attacks, malicious software upload, unauthorized access to ePHI, inadvertent data entry or deletion and inaccurate data entry.
     • Natural threats: floods, earthquakes, tornadoes, landslides
     • Environmental threats: power failures, pollution, chemicals, and liquid leakage.
2. Understand
   • Vulnerability, which is defined by the Federal, National Institute of Standards and Technology  (NIST) as a "flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised and result in a security breach or a violation of the system's security policy."
     • Document each identified threat for each asset and specify security measures you have taken to mitigate.
   • Threat, which is defined by the NIST as, "the potential for a person or thing to exercise a specific vulnerability."

What should you do with the Outcome of Your Organization's Risk Analysis Process?

1. Design "policies and procedures' to guide employees in compliance with the Security Rule.
2. Identify what data to backup and how.
3. Decide whether and how to use encryptions.
4. Address what data must be authenticated in particular situations to protect data integrity,
5. Determine the appropriate manner of protecting ePHI transmission
   • Examples might include:
     • Do not allow laptops with ePHI to leave the organization's facility
     • Limit access to ePHI to include only work staff that works directly with ePHI.
6. Identify and document business associate (BA) and subcontractor relationships.
7. Document, document, document