2. Security Risk Assessment
A detailed Risk Assessment is required under the HIPAA Security Rule.
The Security Management Process standard in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a) (1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a) (1) (ii) (A) states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the [organization].
HIPAA Secure Now! will perform an administrative, physical, and technical assessment against the HIPAA Security Regulations. The Risk Assessment follows the methodology described in NIST Special Publication (SP) 800-30.
Risk Assessment Process
- Identify and document all electronic protected health information (ePHI) repositories. Evaluate every system that stores, receives, maintains, or transmits ePHI.
- Identify and document potential threats and vulnerabilities to each repository. Threats include fire, flood, stolen laptops, etc.
- Assess current security measures. Review the current security measures (safeguards / controls) that are currently in place that are used to mitigate identified risks. Examples of current safeguards include: employee security awareness training, encryption, data backups, disaster recovery, etc.
- Determine the likeliness of threat occurrence. For each threat and vulnerability to ePHI that has been identified in step 2 of the Risk Assessment procedure, calculate the likelihood of the threat occurring. Existing security measures as identified in step 3 of the Risk Assessment procedure may lower the likeliness of a threat. Existing vulnerabilities as identified in step 2 of the Risk Assessment procedure may raise the likeliness of a threat. Likeliness is expressed in terms of low, medium or high.
The output of the Risk Assessment consists of a 10-15 page Executive Summary as well as a 50+ page detailed report. The Executive Summary is an easy to understand overview that discusses the current state of the overall risk to systems that contain ePHI as well as recommendations to lower the risk to each system. The detailed report looks at each system that contains ePHI and documents the threats to the system, the vulnerabilities to the system, the current safeguards in place to protect the system, and the additional recommended safeguards to lower the risk to the system.
The Risk Assessment report will give a good understanding of the risks to ePHI and provide specific steps and actions that should be taken to lower the risk.
3. HIPAA Security Training and Compliance Testing
Employee training on security and protecting patient information is a requirement under HIPAA regulations.
STANDARD § 164.308(a) (5) Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
Security training for all new and existing members of the covered entity’s workforce is required by the compliance date of the Security Rule. In addition, periodic retraining should be given whenever environmental or operational changes affect the security of EPHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule.
Source: Department of Health and Human Services Security Standards: Administrative Safeguard
The HIPAA security service provides in-depth practical training on the HIPAA Security and Privacy Rules as well as advice for best practices in protecting ePHI and patient information. The training is provided in an online format which is both engaging and convenient to staff members.
Training requires 60 – 90 minutes to complete. Staff members can begin a training session stop and resume the session from where they left off. They can take the training during work hours or complete the training at home after hours – from anywhere with internet access.
Once staff members have completed the online training, they will take a 25 question online quiz to demonstrate their knowledge regarding the HIPAA Security and Privacy Rules. If they receive a score of 80% or higher, they will receive a certificate with their name that acknowledges that they have successfully completed the HIPAA Security and Privacy Training. If they do not receive an 80% score on the quiz they can retake it as many times as they need to.
A Training Report is provided that lists each of the staff members who have completed training, the date/time they took the training and the highest score they received on the training quiz. The report can be easily exported to MS Excel for comparison to an employee roster.
4. HIPAA Compliance Portal
The HIPAA Compliance Portal makes it easy to manage all aspects of HIPAA security compliance. The compliance portal will store the 18 HIPAA security policies and procedures and Privacy Manual. Employees will be able to access the policies and procedures, read summaries of each of the policies and procedures, and watch short entertaining videos that describe each policy and procedure.
In addition, the HIPAA compliance portal has the ability to upload other policies and procedures and important documents such as HIPAA privacy policies and procedures, disaster recovery procedures, HR policies and procedures, etc. Employees can access all the policies and procedures via the HIPAA compliance portal.
Administrators of the HIPAA compliance portal can utilize the functionality to perform the following functions:
- Access the HIPAA security risk assessment documents.
- Access HIPAA security and privacy policies and procedures.
- Track and maintain all business associates including uploading any business associate agreements.
- Track electronic protected health information (ePHI) that enters or leaves the organization.
- Capture and record any security incidents that affect patient data or ePHI.
- Provide HIPAA security and privacy training to new employees.
- Track repairs or maintenance to critical area such as server rooms and other areas that store sensitive ePHI.
- Access employee HIPAA security and privacy training reports.
LIMITATION OF LIABILITY
THE HIPAASECURE NOW!SERVICE DOES NOT GUARANTEE COMPLIANCE WITH THE HIPAASECURITY OR PRIVACY RULES.THE SERVICE PROVIDES EDUCATION AND TOOLS TO HELP IMPLEMENT THE HIPAASECURITY AND PRIVACY RULES.THE HIPAASECURITY AND PRIVACY POLICIES AND PROCEDURES ARE A FOUNDATION FORIMPLEMENTING THE SECURITY AND PRIVACY RULES.IT IS THE ORGANIZATION’S RESPONSIBILITY TO ENSURE THAT ALL EMPLOYEES COMPLY WITH THE POLICIES AND PROCEDURES.IN ADDITION,THE HIPAASECURITY RISK ASSESSMENT IDENTIFIES AREAS THAT THE ORGANIZATION NEEDS TO CONCENTRATE ON TO FURTHER PROTECT ELECTRONIC PROTECTED HEALTH INFORMATION (EPHI,OR BETTER KNOWN AS PATIENT INFORMATION).IT IS THE ORGANIZATION’S RESPONSIBILITY TO ACT UPON THE RISK ASSESSMENT AND IMPLEMENT THE RECOMMENDATIONS TO FURTHER PROTECT EPHI.IT SHOULD ALSO BE NOTED THAT THE HIPAASECURE NOW!IS NOT LEGAL ADVICE.CONSULT WITH LEGAL COUNSEL TO ENSURE A FULL LEGAL INTERPRETATION OF THE LAW.