HIPAA Security Management Process in 6 Steps
Today I am breaking down the HIPAA Security Management Process, 45 § 164.308(a)(1), into byte-size portions to help you understand how they are significant to your organization. Before I can break down today’s topic, I first should set the stage.
The HIPAA Security Rule, Administrative Safeguards provisions that requires regulated entities to perform a accurate and thorough risk analysis as part of their security management processes. Risk analysis and risk management serve as tools to assist in the development of a regulated entity’s strategy to protect the confidentiality, integrity, and availability of electronic protected health information (PHI).
HIPAA Security Management Process Standards
The first standard under Administrative Safeguards section is the Security Management Process. This standard requires regulated entities to:
Implement policies and procedures to prevent, detect, contain and correct security violations. The HIPAA Security Management standard has four required implementation specifications.
- Risk Analysis (Required)
- Risk Management (Required)
- Sanction Policy (Required)
- Information System Activity Review (Required)
Risk analysis and risk management processes are critical to a regulated entity’s compliance efforts. The results from the risk analysis and risk management processes will become the baseline for security processes within regulated entity’s organization.
The Risk Analysis implementation specification, 45 § 164.308(a)(1)(ii)(A), requires regulated entities to:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the regulated entities.
The scope of a risk analysis requirement in the HIPAA Security Rule is much more expansive. It requires you to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI that an organization creates, receives, maintains, or transmits.
This includes ePHI in other electronic systems and all forms of electronic media, such as:
- Cell phones
- Hard drives
- Compact discs (CDs)
- Digital video discs (DVDs)
- Smart cards or other storage devices
- Transmission media
- Portable electronic media
- Any connected Internet of Things (IoT) devices
Your risk analysis process is an opportunity to learn as much as possible about the health of your information security. Don’t ignore your need to be HIPAA compliant! Any device or media that contains PHI needs to be properly protected – HIPAA is not system or hardware specific – it applies to all!
Risk Management is a required implementation specification, 45 CFR § 164.308(a)(1)(ii)(B). It requires an organization to make decisions about how to address security risks and vulnerabilities. The Risk Management implementation specification states that regulated entities must:
Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 45 §164.306(a).
Risk management is the process used to identify and implement security measures to reduce risks to a reasonable and appropriate level.
Regulated entities will want to make sure their risk management strategy takes into account the characteristics of their environment includes these four factors:
- The size, complexity, and capabilities of the regulated entity.
- The regulated entity’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.
These four factors will help them determine what potential security measures are reasonable and appropriate for the environment.
NOTE: Regulated entities must ensure their risk analysis and risk management activities are on-going and dynamic processes that change as the environment or operations change.
Another implementation specification in the HIPAA Security Management Process is the Sanction Policy, 45 § 164.308(a)(1)(ii)(C). It requires regulated entities to:
Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the regulated entity.
Appropriate sanctions must be in place so that workforce members understand the consequences of failing to comply with security policies and procedures, to deter non-compliance.
Information System Activity Review
The HIPAA Security Management Process standard also includes the Information System Activity Review implementation specification, 45 CFR § 164.308(a)(1)(ii)(D). This required implementation specification states that regulated entity must:
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
The information system activity review enables regulated entities to determine if any ePHI is used or disclosed in an inappropriate manner. Information system activity review procedures may be different for each regulated entity.
The procedure should be customized to meet the organizations risk management strategy and take into account the capabilities of all information systems with ePHI.
6 Steps to HIPAA Security Management Process
Now for the moment you’ve all be waiting for …
Below are six steps to help you start:
- Lead your culture, select your team, and learn
- Document your process, findings, and actions
- Review existing security of ePHI (perform a Security Risk Analysis)
- Develop an Action Plan
- Manage and mitigate risks
- Monitor, audit, and update security on an ongoing basis
Note: Performing the risk analysis in-house may require an upfront investment of your time and a staff member’s time to understand and address your security issues with respect to the HIPAA Security Rule.