The Department of Health and Human Services Office of Civil Rights (OCR) has investigated and resolved over 158,000 Health Insurance Portability and Accountability Act (HIPAA) cases since 2003. The top two HIPAA Security Rule (HSR) compliance issues their investigations have identified are impermissible uses and disclosures of protected health information and a lack of safeguards of protected health information. The most common types of covered entities that have had to take corrective action include 1) private practices, 2) general hospitals, and 3) outpatient facilities. This should come as no surprise since private practices often do not fully understand the requirements of the HSR and how it applies to them. Private practices also typically lack in-house expertise and the available resources to ensure they have built a HIPAA compliant security program.
The HSR outlines the data security requirements that all covered entities (CE) and business associates (BA) must implement to ensure compliance. The security requirements, also known as safeguards, are broken into three categories – administrative, technical and physical. Part 1 of this blog series will discuss the Administrative safeguards which focus on the activities necessary to properly design, implement and manage effective security mechanisms. The Administrative safeguards encompass the following areas:
- Security Management Process
- Security Personnel
- Information Access Management
- Workforce Training and Management
Each safeguard is categorized as either “required” or “addressable”. Required safeguards must be implemented by the CE regardless of their unique characteristics. Addressable requirements give the organization the ability to tailor the solutions to their environment based upon their unique threats, budget and infrastructure.
One of the most critical Administrative safeguards is an organization specific risk analysis. The risk analysis is the foundation for developing a customized HSR compliant security program. The HSR requires that organizations “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” If your organization does not properly perform this risk analysis, you risk developing a security program that is non-compliant and possibly opening yourself to OCR enforcement actions. The risk analysis also serves as the primary guide to ensure that the solutions you are implementing for the other safeguards are integrated and focused on the organization’s great threats and risks. It is critical to take an integrated and holistic approach to HSR compliance to minimize the impact on your organization and ensure that you are getting the maximum benefit.
If you would like to learn more about how you can assess your organization’s compliance with the HIPAA Security Rule, please CONTACT US.