X
GO
Resource Overview

Conducting an SRA in accordance with HIPAA policy is a complex task, especially for small to medium providers such as community health centers. The HIPAA Security Rule mandates security standards to safeguard electronic Protected Health Information (ePHI) maintained by electronic health record (EHR) technology, with detailed attention to how ePHI is stored, accessed, transmitted, and audited. This rule is different from the HIPAA Privacy Rule, which requires safeguards to protect the privacy of PHI and sets limits and conditions on it use and disclosure. Meaningful Use supports the HIPAA Security Rule. In order to successfully attest to Meaningful Use, providers must conduct a security risk assessment (SRA), implement updates as needed, and correctly identify security deficiencies. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them.

Security vulnerabilities must be addressed before the SRA can be considered complete. Providers must document the process and steps taken to mitigate risks in three main areas: administration, physical environment, and technical hardware and software. The following set of resources provide education, strategies and tools for conducting SRA.

Security Risk Analysis Resources
How to Establish an Ongoing Security Program and Meet Meaningful Use Requirements for Security Risk Analysis

How to Establish an Ongoing Security Program and Meet Meaningful Use Requirements for Security Risk Analysis

An SRA brief for Health Centers

Overview

In order to comply with the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), you need to maintain an ongoing security program. The HIPAA Security Rule mandates security standards to safeguard electronic protected health information (ePHI) maintained by electronic health record (EHR) technology, with detailed attention to how ePHI is stored, accessed, transmitted, and audited. This rule is different from the HIPAA Privacy Rule, which requires safeguards to protect the privacy of protected health information (PHI) and sets limits and conditions on the use and disclosure of PHI. 

Meaningful use supports the HIPAA Security Rule. In order to successfully attest in Stage 1, you must conduct a security risk analysis (SRA), implement updates as needed, and correct identified security deficiencies. Stage 2 will include the need to adequately encrypt data. By conducting an SRA regularly, providers can identify and document potential threats and vulnerabilities related to data security, and develop a plan of action to mitigate them. Common security risks in a medical practice include:

 

  • Inadequate protection of workstations (due to sharing of passwords, or the use of out-of-date antivirus software)
  • Inadequate protection of data on mobile devices or portable media (such as CDs and USB drives)
  • Lack of documented policies and procedures for backing up and recovering data

 

An ongoing security program addresses administrative, physical, and technical safeguards. A well-implemented program protects the practice from expensive data breaches, and it indirectly protects the reputation of the medical practice.

 

Actions to Take to Establish a Security Program

The elements of a security program must be understood and applied specifically to the needs of your practice. As described in more detail in later sections of this document, recommended actions include:

  1. Provide staff training in privacy and security
  2. Establish policies and procedures for the security program
  3. Conduct the SRA to identify risks and threats
  4. Implement risk mitigation strategies to ensure appropriate precautions are in place
  5. Ensure continuous monitoring of all critical functions

 

1. Provide Staff Training

Staff training is needed to raise awareness about the necessity of maintaining an ongoing security program. The basic training would include information about topics such as:

 

  • HIPAA Security Rule
  • Differences between privacy and security
  • Types of ePHI
  • Negative effects of security breaches
  • Potential security risks in a medical practice
  • Components of an SRA

After the SRA is done, training can focus on mitigating risks specific to the practice, either for groups or individual staff members. Training could include topics such as password management, and when and how to encrypt data.

 

2. Establish Policies and Procedures

Your practice can create a central security policy document and familiarize all employees and contractors with its contents. Policy requirements and restrictions in this document apply to network infrastructures, databases, external media, encryption, hardcopy reports, films, slides, wireless devices, telecommunication, conversations, and any other methods used to convey information across all hardware, software, and data transmission mechanisms. The plan also should include plans for data backup, disaster recovery, and how to authenticate requests for information.

 

Information security also includes policies for personnel, which can be added to your personnel policies manual. These would define actions and prohibitions that all users must follow, including guidelines for the acceptable use of technology equipment, e-mail, and Internet connections.

 

Federal regional extension centers (RECs) have policy document examples and templates. The REC that serves your area can help you to develop a detailed security policy that suits your practice’s needs.

 

3. Conduct Security Risk Analysis

The SRA is a process for reviewing infrastructure and safeguards related to the HIPAA Security Rule. This task may seem daunting, but REC training and SRA tools and checklists are available that can step you through the requirements.

As part of the SRA, you will need to inventory the locations of all servers, computers, storage, and mobile devices, as well as the ePHI data that are stored on each. Collect information about maintenance and service agreements that can be used in the event of theft or destruction of these devices.

 

4. Implement Mitigation Strategies

A well-done security risk assessment will identify security vulnerabilities. These vulnerabilities must be addressed before the SRA can be considered complete. Practices must document the process and steps taken to mitigate risks in three main areas: administration, physical environment, and technical hardware and software. Safeguards include instituting security reminders, protection from malicious software, encryption procedures, and password management.

 

After building a program to mitigate risks, the practice should develop an ongoing security awareness program to keep security embedded in the practice's culture. Staff also should get security training when environmental or operational changes affect the security of ePHI. Many medical practices do not have the resources to develop a security awareness training program. RECs can provide tools and training tailored to the risks identified, including scenario-based training in which staff consider how to respond to actual situations.

 

5. Ensure Continuous Monitoring

A key to a strong security program is regular review of system audit logs to assess whether there have been any instances of unauthorized access or access attempts aimed at patient records. You should ensure that audit controls and the audit trail are activated in your EHR system. You will also want to conduct regular reviews of backup and disaster recovery plans, antivirus and malware protection, and password requirements.

You should set a regular schedule for updating the SRA, such as annually or bi-annually. The process also should be initiated on an as-needed basis—such as after a security incident, turnover in key staff, or the addition of new technology—to ensure that ePHI is appropriately protected.

Previous Article Security 101: Security Risk Analysis
Next Article Encrypting Data at Rest on Servers
Print
12278

Leave a comment

This form collects your name, email, IP address and content so that we can keep track of the comments placed on the website. For more info check our Privacy Policy and Terms Of Use where you will get more info on where, how and why we store your data.
Add comment

Acknowledgements

This resource collection was cultivated and developed by the HITEQ team with valuable suggestions and contributions from HITEQ Project collaborators.

Looking for something different or have something you think could assist?

HITEQ works to provide top quality resources, but know your needs can be specific. If you are just not finding the right resource or have a highly explicit need then please use the Request a Resource button below so that we can try to better understand your requirements.

If on the other hand you know of a great resource already or have one that you have developed then please get in touch with us by clicking on the Share a Resource button below. We are always on the hunt for tools that can better server Health Centers.

Request a Resource  Share a Resource
Learning Progress
Quick Feedback Request
Highlighted Resources & Events
Need Assistance?
Would you like more assistance regarding Privacy and Security strategies or support in using any of the include resource sets?

  Request Support

 

Upcoming Events
The Quadruple Aim
Quadruple Aim

A Conceptual Framework

Improving the U.S. health care system requires four aims: improving the experience of care, improving the health of populations, reducing per capita costs and improving care team well-being. HITEQ Center resources seek to provide content and direction aligned with the goals of the Quadruple Aim

Learn More