Episode 35: Know The Rules! 6 Steps to Implementing Your Security Management Process

Before I dive right in to the six-step approach to help YOU implement a security management process, one clarification must be emphasized:

The scope of a risk analysis for the Electronic Health Record (EHR) Incentive Programs security requirements is much narrower than the scope of a risk analysis for the HIPAA Security Rule Security Management Process standard.

You should know the risk analysis requirement in the HIPAA Security Rule is much more expansive.

It requires you to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits — not just the ePHI maintained in your EHR Systems.

This includes ePHI in other electronic systems and all forms of electronic media, such as hard drives, floppy disks, compact discs (CDs), digital video discs (DVDs), USB drives, smart cards or other storage devices, personal digital assistants, transmission media, or any other portable electronic media.

Note: It’s not just the ePHI in EHRs but also in practice management systems, claim processing systems, billing, patient flow (bed management), care and case management, document scanning, clinical portals, and dozens of other ancillary systems.

Don’t forget any Internet of Thing (IoT) devices you have connected to your environment. Health and Human Services (HHS) asks about them too!!

In addition, you will need to periodically review your risk analysis to assess whether changes in your environment necessitate updates to your security measures. Under the HIPAA Security Rule, the frequency of reviews will vary among Covered Entities (CEs) and Business Associates (BAs).

Some CEs may need to perform these reviews annually or as needed depending on the circumstances of their environment.

Sample Six-Step Approach for Implementing a Security Management Process

The sample six steps which will be discussed here are:

Step 1: Lead your culture, select your team, and learn

Step 2: Document your process, findings, and actions

Step 3: Review existing security of ePHI (perform a Security Risk Analysis)

Step 4: Develop an Action Plan

Step 5: Manage and mitigate risks

Step 6: Monitor, audit, and update security on an ongoing basis

Note: Performing the risk analysis in-house may require an upfront investment of your time and a staff member’s time to understand and address your security issues with respect to the HIPAA Security Rule.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

YOUR security risk analysis process is an opportunity to learn as much as possible about the health of your information security. Don’t ignore YOUR need to be HIPAA compliant! Any device or media that contains PHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!

6 Steps to Implementing Your Security Management Process



For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.


3 thoughts on “Episode 35: Know The Rules! 6 Steps to Implementing Your Security Management Process

  1. […] Today, I am discussing the HIPAA Security Rule’s Documentation standard, §164.316(b)(1), as mentioned in “6 Step Approach to Implementing Your Security Management Process.” […]

  2. […] today’s “Know The Rules!” I provide a general understanding of risk analysis and risk management concepts and the HIPAA Security Management Process, the first standard in Administrative […]

  3. […] training plus creating a culture of compliance valuing patients’ privacy are a necessary part of risk management. All of your workforce members, including; employees, volunteers, trainees, management, and BAs, […]