Section 6.2 Optimize
Section 6 Optimize—Privacy and Security Risk Analysis - 1
Privacy and Security Risk Assessment
This tool helps you conduct a security risk assessment to help you comply with HIPAA and to reduce your risk of a privacy or security breach.
Time needed: The process of completing a security risk analysis is time-consuming. Depeding on what is in place this process may take weeks to completeSuggested other tools: NA
Introduction
Compliance with the HIPAA Security Rule has been required of all HIPAA-covered entities (including behavioral health facilities) since April 20, 2005. The Omnibus Rule, which became effective September 23, 2013, holds all business associates of HIPAA-covered entities accountable for complying with the Security Rule as well. This should be addressed in the covered entities’ business associate agreements. Conducting a security risk analysis is one of the requirements of the HIPAA Security Rule. In addition, the HITECH Act of 2009, modified by the Omnibus Rule, requires federal breach notification when the privacy or security of protected health information (PHI) is compromised. Finally, the federal incentive program for meaningful use (MU) of electronic health records (EHRs) requires that a security risk analysis be performed and that all technical security controls specified in HIPAA are in place.
The Office of Civil Rights developed a document to help you understand these requirements. Please take time to read it. You can download it here: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
Social Service Agencies as Business Associates
HIPAA defines business associate as a person or entity who performs work on behalf of or for a covered entity. A social service agency is not a covered entity (health plan, health care clearinghouse, or health care provider performing HIPAA electronic transactions for administrative and financial purposes), nor is it a business associate because regular work is not performed for a covered entity. Therefore, agencies must access individuals’ protected health information (PHI) through authorizations from the individual, through a health information exchange organization (HIO)) or via court order.
Social service agencies do have data stewardship responsibility when obtaining PHI. Social service agencies should understand the HIPAA Privacy and Security Rule, and adopt as its standards as applicable. The HIPAA Security Rule is actually very generic and consistent with the security needs of any organization in any industry.
Understanding Risk Assessment
Risk assessment is a complex and highly technical discipline. The good news is that there are well written documents that explain the theory and practice of completing a risk assessement. If you want to understand risk assessment, there is no better authority than the National Institute of Standards and Technology (NIST). Follow this link to a very useful overview of risk assessment:
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf . The diagram on the following page, from the NIST document sums up the process.
Completeing the Risk Assessment
Below, we provide links to various risk assessment tools and resources. We advise taking a look at all of them, before selecting one to use:
· HIPAA COW tools: The name is amusing, but the resources available on the site of this Wisconsin-based collaborative are very strong. Follow this link to their Risk Assessment toolkit: http://hipaacow.org/resources/hipaa-cow-documents/risk-toolkit/
· The federal government’s comprehensive site features a powerful and user-friendly HIPAA Risk Assessment tool. Follow this link to that tool: http://www.healthit.gov/providers-professionals/security-risk-assessment-tool
· In addition to the tool, HealthIT.gov provides a series of informative videos that help you understand important risk assessment topics. Follow this link to the videos: http://www.healthit.gov/providers-professionals/security-risk-assessment-videos
As you complete a Security Risk Analysis or update the one you have, [ay particular attention to new threats and vulnerabilities as you add EHR and health information exchange (HIE) applications. In addition, as a provider of behavioral health services, you will find this specific guidance from the Office of Civil Rights useful: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html
Data Breach Notification
Despite your efforts, it is possible that a data breach may occur within your organization. If this were to happen, you are mandated to report the breach.
In addition to HIPAA requirements, the HITECH Act of 2009 (and as modified by the Omnibus Rule) and 44 states have data breach notification requirements. For a copy of the Omnibus Rule, see http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html.
The following is a summary of the federal breach discovery and notification process.
Minnesota also has a data breach notification law, which although not specifically targeting health information is still relevant. Follow this link for details: https://www.revisor.mn.gov/statutes/?id=325E.61
Note: please consult with your legal council for additional information and assistance with your Security Risk Analysis effort.
Copyright © 2014 Stratis Health. Updated 04-22-14
Section 6 Optimize—Privacy and Security Risk Analysis - 2