Before I dive right in to the six-step approach to help YOU implement a security management process, one clarification must be emphasized:
The scope of a risk analysis for the Electronic Health Record (EHR) Incentive Programs security requirements is much narrower than the scope of a risk analysis for the HIPAA Security Rule Security Management Process standard.
You should know the risk analysis requirement in the HIPAA Security Rule is much more expansive.
It requires you to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the electronic Protected Health Information (ePHI) that an organization creates, receives, maintains, or transmits — not just the ePHI maintained in your EHR Systems.
This includes ePHI in other electronic systems and all forms of electronic media, such as hard drives, floppy disks, compact discs (CDs), digital video discs (DVDs), USB drives, smart cards or other storage devices, personal digital assistants, transmission media, or any other portable electronic media.
Note: It’s not just the ePHI in EHRs but also in practice management systems, claim processing systems, billing, patient flow (bed management), care and case management, document scanning, clinical portals, and dozens of other ancillary systems.
Don’t forget any Internet of Thing (IoT) devices you have connected to your environment. Health and Human Services (HHS) asks about them too!!
In addition, you will need to periodically review your risk analysis to assess whether changes in your environment necessitate updates to your security measures. Under the HIPAA Security Rule, the frequency of reviews will vary among Covered Entities (CEs) and Business Associates (BAs).
Some CEs may need to perform these reviews annually or as needed depending on the circumstances of their environment.
Sample Six-Step Approach for Implementing a Security Management Process
The sample six steps which will be discussed here are:
Step 1: Lead your culture, select your team, and learn
Step 2: Document your process, findings, and actions
Step 3: Review existing security of ePHI (perform a Security Risk Analysis)
Step 4: Develop an Action Plan
Step 5: Manage and mitigate risks
Step 6: Monitor, audit, and update security on an ongoing basis
Note: Performing the risk analysis in-house may require an upfront investment of your time and a staff member’s time to understand and address your security issues with respect to the HIPAA Security Rule.
Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?
YOUR security risk analysis process is an opportunity to learn as much as possible about the health of your information security. Don’t ignore YOUR need to be HIPAA compliant! Any device or media that contains PHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!
For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.