Posted by: Pabrai
The very first implementation specification in the HIPAA Security Rule is Risk Analysis. The Office for Civil Rights (OCR) recently published a (draft) guidance document to assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability (CIA) of EPHI.
The First Step
Conducting a risk analysis is the first step in identifying and implementing safeguards – your countermeasures or controls – that comply with and carry out the standards and implementation specifications in the HIPAA Security Rule. Given the requirements of the HIPAA Privacy Rule and the HITECH Act, organizations should look at all PHI it processes or manages, and not limit the analysis to EPHI.
HIPAA Security Rule
All EPHI created, received, maintained or transmitted by an organization is subject to the HIPAA Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of EPHI. As your organization – be it a covered entity or a business associate – looks to comply with the HITECH Act and the HIPAA Security Rule – keep in mind that the risk analysis implementation specification is the first step in that process.
Critical Questions to Address
Critical questions that every covered entity and business associate impacted by the HIPAA regulation must address in the scope of the risk analysis activity – on a regular basis – include:
- Have you identified the EPHI as well as PHI within your organization? This includes PHI that you create, receive, maintain or transmit.
- What are the external sources of PHI? For example, do vendors or consultants create, receive, maintain or transmit PHI or EPHI?
- What are the human, natural, and environmental threats to information systems that contain EPHI and PHI?
More than ever, the Boards of Directors at hospitals, health systems, business associates and others are taking notice and asking an important question – “is the organization compliant with HIPAA and HITECH mandates?” Have you completed the first step – Risk Analysis?